New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom. Previous versions of these threats locked the screen and used a hardcoded passcode, but analysts were able to reverse engineer the code to provide victims with the passcode to unlock their devices. Attackers have also combined a custom lockscreen with the device's lockscreen to create an additional hurdle for those infected. Similar to some other mobile threats we've observed, these Trojans are being created directly on mobile devices before being distributed. Symantec detects these threats as Android.Lockscreen.
Once a device has been compromised by the Trojan, it creates a custom System Error window, as we previously discussed in an earlier blog. This type of window is imposed on top of every visible UI on the compromised device. In this window, the malware displays intimidating messages and asks the user to enter a passcode which can be obtained by talking to the attackers (Figure 1).
Figure 1. SYSTEM_ERROR_WINDOW with instructions on how to unlock the device
Older versions of this Trojan had the passcode used to unlock devices hardcoded in the sample's code. Newer variants have eliminated the hardcoded passcode and replaced it with a pseudorandom number as seen in Figures 2 and 3. Some variants generate a six-digit number and some generate an eight-digit number.
Figure 2. Pseudorandom number generator for six-digit code
Figure 3. Pseudorandom number generator for eight-digit code
In the incident shown in Figure 2, for example, the unlock passcode would be 137911. This is generated in the following way: 139911 – 2000 = 137911
The generated number will be different for every infection, as the base number is calculated using the "Math.Random()" function.
The malware authors have also combined pseudorandom number passcode generation with a previously used trick to fortify their threat. In addition to a customized lockscreen created using the System Error window type, the attackers also use device admin privileges to change the PIN of the Android device's normal lockscreen. However, Android Nougat will thwart calls to "resetPassword()" if the device PIN was set by the user prior to infection.
Symantec recommends users follow these best practices to stay protected from mobile threats:
Symantec and Norton products detect the threat discussed in this blog as: