PIN-changing Android ransomware spreading in the US

Before you get all riled up, this isn't yet another Android vulnerability like Stagefright. This is your run of the mill malware installed through social engineering or carelessness, but one that has far graver ramifications than other ransomware. Discovered by researchers from security company ESET, the Android/Lockerpin.A ransomware goes the extra mile to actually change your device's PIN code in such a way that trying to reset the PIN will lock the user, and ironically the attacker too, from the device completely, with no recourse other than a factory reset.

Lockerpin.A definitely ups the ante when it comes to malware sophistication. For one, it overlays a "fake" window on top of a real one that cons users into giving the malware administrator privileges. While other ransomware simply display a persistent "lock" screen to force people to pay the ransom in exchange for their files, Lockerpin.A really changes the PIN code to lock users out. And while those older types of ransomware could easily be removed with ADB or deactivating admin privileges, trying to remove Lockerpin.A is both futile and dangerous.

The malware, once given admin privileges, tries to kill anti-virus software to protect itself. And in case users try to remove its admin access, the malware simply displays yet another fake window that again dupes users into actually giving back those privileges. And when users try to reset the PIN, a random PIN is generated keeping the user still locked out. Somewhat ironically, that new PIN isn't actually sent back to the attacker, so it also keeps the attacker out as well.

In this case, the user might be forced to do a factory reset to get control back, effectively deleting all his or her files as well. The only non-destructive solution is available only when the device is rooted or has some other Mobile Device Management (MDM) feature enabled.

ESET's analysis revealed that about 77 percent of infected devices are in the US. The one silver lining to this aggressive malware is that it isn't one users will easily encounter by downloading apps from trusted sources like Google Play Store. The malware masquerading as an app has to be intentionally downloaded and installed by the user. And the most common form of fake app this Lockerpin.A takes? Porn apps.

SOURCE: ESET