One of the most prevalent Android ransomware threats in the West has now expanded to Asia, choosing Japan as its first target. This Android.Lockdroid campaign began in March 11 and poses as a system update. Once the ransomware detects that it’s installed on a device in Japan, it displays the ransom message in Japanese. This is the first time that we have seen mobile ransomware for Western users displaying any Asian language.
Figure 1. Recent Android.Lockdroid variants target Western regions and Japan
If the ransomware arrives on the phone, it requests device administrator features and locks the device from use. In many attacks, users need to perform a factory reset to restore their device.
For most cases, Android.Lockdroid needs to be manually downloaded from adult sites to infect devices. It could also automatically arrive on the device when the user clicks on links, many of which are advertising, on these websites.
Figure 2. Adult website distributing the app
The malware may pose as a pornographic video app and try to trick users into installing it. Some variants pretend to be system updates and attempt to deceive users into believing that a patch is required for their operating system. The March 11 campaign mainly distributes the system update variants.
Figure 3. Android.Lockdroid disguises itself as adult video apps or system updates
Tailoring ransom warnings for different regions
During the installation process, the app asks the user to activate device administrator features. If the user does this, then the ransomware can prevent its removal, even when the operating system is booted into safe mode.
These particular Android.Lockdroid variants wait 30 minutes or longer until they begin their activity. This is because the malware doesn’t want the user to suspect that the app they’ve just installed is the culprit. If the device is not connected to the internet or is having difficulty reaching its command and control (C&C) servers, then the Trojan may display a message asking the user to try the app again at a later time.
Figure 4. Message shown when the app can’t connect to the server
Once the malware has access to C&C servers, it uploads device information to determine the phone’s language. If the server finds that the app is on a Japanese device, it pushes out a ransom message localized for Japanese users. If the user is located in the US, the app displays the warning in English, while users in Europe receive notices in their own languages. If the ransomware does not have a ransom message for the user’s region, then the server sends the message in English, purporting to be from Interpol.
Figure 5. The language of the messages vary by region
During our investigation, there were no messages localized for Asian regions apart from Japan. Symantec confirmed this to be the case for China, Hong Kong, India, Malaysia, South Korea, Singapore, and Thailand. For these regions, the Interpol message was displayed. Based on this analysis, we can conclude that the attackers are currently testing their threat in Asia by first targeting Japanese users.
In all languages, the ransom message states that law enforcement has locked the device because the user has viewed or stored illegal pornography on the device. The warning asks the user to pay a fine to unlock the device.
The app also attempts to take a picture of the victim using the device’s front camera. The threat displays the photo as part of the ransom warning, along with other data gathered from the device such as the IP address, region, device model, OS version, and the name of the user. This strategy aims to scare the user into paying the ransom.
As with past Android.Lockdroid campaigns, the latest variants ask the user to pay the fine using an iTunes card. The cost is either 10,000 yen, US$100, or €100, depending where the victim is located.
Figure 6. Android.Lockdroid variants’ ransom screen with user images (left) and its payment request screen (right)
It was only a matter of time before mobile ransomware expanded into Asia, as this was the case for ransomware for PCs. We expect to see more Android ransomware campaigns targeting this continent.
Users can attempt to remove Android.Lockdroid in safe mode. Note that the name of the app on the device may be different from the one listed in Android’s settings. However, in cases where the malware has device administrator features, it can prevent users from doing this, meaning that the phone can only be restored through a factory reset.
The following measures are also recommended to help users to protect their devices against Android.Lockdroid:
- Use a comprehensive security solution such as Symantec Mobility or Norton Mobile Security to protect against mobile threats
- Only install apps from trusted sources
- Pay close attention to the permissions requested by mobile apps
- Back up your device frequently
- Keep software up to date
Symantec and Norton products have the following detections for the Android.Lockdroid variants seen in this campaign:
The following list includes the MD5s for the .apks analyzed in this blog: