Dumb PIN-reset Android malware found in the wild

Aggressive Lockerpin ransomware seizes admin control and changes PIN code to something that even the attackers don't know.

lockerpin
lockerpin

The first Android PIN-resetting ransomware to be discovered in the wild has been reportedly found by researchers at ESET.

Interestingly, it appears the attackers are concentrating on devices located in North America. Critically, an analysis of the code reveals that the attackers actually have no means of unlocking a hacked device.

“Based on ESET's LiveGrid statistics, the majority of the infected Android devices are in the USA with a complete percentage share of over 75 percent,” said  ESET's detection engineer Lukáš Štefanko. “This is part of a trend where Android malware writers are shifting from mostly targeting Russian and Ukrainian users to Americans where they can arguably make higher profits.”

Like a lot of malware attacking Android phones, this new malware – dubbed Lockerpin – is distributed from unverified third-party app stores and other sources. After tricking a user into downloading it, the malware attempts to escalate its privileges to administrator by placing a customised message in a window over the system message to make it appear as if it's a software update.  

Once installed, it changes the phone's PIN code and demands a ransom of US$500 (£300).

ESET said that for “unrooted devices that aren't protected by a security solution, there is no simple way to change the PIN except for a factory reset” – with a resulting loss of data.

Those who decide to pay the ransom will be disappointed, said ESET – as the password is set randomly, even the attackers don't know what it is, but by the time you discover this, it's impossible to get your money back.

ESET said that this malware is a step up from previous lockscreen Trojans which locked users out by bringing their lockout screen to the foreground in an infinite loop. For the tech savvy, these Trojans were easy to disable but, by gaining admin rights, Lockerpin is more sophisticated and can only be removed by going into safe mode or using Android Debug Bridge (ADB).

Attempts to deactivate admin rights for the malware will fail because of the use of an aggressive self-defence mechanism – a call-back function that reactivates the privileges.

Instead, victims have to remove the random password but this is only possible if the Android device has been rooted or has an MDM solution capable of resetting the PIN, said ESET. For rooted devices, connect to the device by ADB and remove the password.key file – details are on the ESET blog.

Kevin Epstein, VP of advanced security and governance at Proofpoint, commented: “Clearly, there's a need for targeted attack protection for mobile. Proofpoint's research on 'The Human Factor' suggests everyone clicks; the social engineering component of this attack, wherein devices are compromised because a user allows the malware administrative rights, suggests mobile users are just as vulnerable as laptop users. The solution: don't click on anything that you don't understand.”