Android.Lockerscreen uses pseudorandom passcodes to ensure payouts

By on
Android.Lockerscreen uses pseudorandom passcodes to ensure payouts

The criminals behind the Android.Lockerscreen ransomware have started using pseudorandom numbers to prevent their victims from unlocking their devices for free, in order to ensure their ransom is paid.

Earlier versions of the malware contained passwords that were hardcoded into the trojan itself, but researchers were able to reverse engineer these codes and unlock phones without users having to pay the ransom, according to Symantec's blog post on 27 September.

To prevent this, the malware authors did away with the hardcoded passwords and introduced a pseudorandom passcode generator that generates a unique six or eight digit number using the "Math.Random()",  function for every infection.

“There are few cases where the author of the malware uses the base number as the infection ID and leaves it in the screen, so adding a particular offset to that ID will yield the lock key,” Symantec principal threat analysis engineer Dinesh Venkatesan told SCMagazine.com via emailed comments. “In a few other cases, the entire key would be kept random without a base number."

He said in those cases the malware author has the additional overhead expense of maintaining a database with the unique infected users and the keys.

As an extra layer of defiance, the ransomware includes an attack which uses the device's admin privileges to change the PIN on an Android device's lock screen. Researchers also noted that these trojans are being created directly on mobile devices before being distributed.

The malware is spread when the victims are tricked using social engineering to download it from websites or third party app stores. Once infected, the trojan creates a custom system error window which is imposed on top of every visible user interface on the compromised device.

In one instance researchers spotted a variant displaying an intimidating message telling the victim to enter a passcode which can only be obtained by communicating with the attacker.

Researchers recommend users keep their software updated, refrain from downloading apps unfamiliar apps or anything from untrusted sources, pay close attention to requested permissions, install mobile security apps, and frequently back up their data.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

Will Coronavirus impact the channel?
Yes - By making it harder to order hardware
Yes - Cancelled conferences and business trips will be widespread
Not directly - It will slow the economy and that may have an impact
No - We can't see any impact
Not negatively - It's already created demand for things like remote access
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?