Being a good listener is normally considered an admirable quality in a person; however, it isn’t a quality you necessarily want to find in a piece of malware. The latest variant of the Android ransomware threat Android.Lockdroid.E is a great listener. In fact, if you say the right things it might even give you back access to your phone. The threat uses speech recognition APIs and requires its victims to speak an unlock code instead of the traditional method of typing it in.
Once Android.Lockdroid.E infects a device it locks the user out using a SYSTEM type window and then displays a ransom note. The ransom note is written in Chinese and gives instructions on how to unlock the device. The note provides a QQ instant messaging ID to contact in order to receive further instructions on how to pay the ransom and receive an unlock code. Since the user’s device is locked, another device must be used to contact the cybercriminals behind the threat.
Figure 1. Lock screen with instructions
The note also instructs the victim to press a button, which starts the speech recognition functionality.
Figure 2. Code showing the threat initiating the speech recognition module
The malware uses third-party speech recognition APIs and compares the spoken words heuristically with the expected passcode. If the input matches up, the malware removes the lockscreen.
For some cases, the recognized words are normalized to accommodate any small degree of inaccuracies that an automated speech recognizer is bound to.
The malware stores the lockscreen image and the relevant passcode in one of its Assets files in encoded form with additional padding. I was able to extract the passcode using an automated script. Figure 2 shows a couple of examples of the types of passcodes the threat uses. It should be noted that the threat will use a different passcode for each infection.
Figure 3. Passcode examples used by the threat
In a previous blog, I discussed how another Android.Lockdroid.E variant used an inefficient 2D barcode ransom demand, which required the user to scan the code on the lockscreen with another device in order to log into a messaging app to pay the ransom. This made it difficult for the victim to pay the ransom and for the attacker to receive payment. This latest technique of using speech recognition is also rather inefficient because the victim must still use another device to contact the criminals.
While analyzing these latest Android.Lockdroid.E variants, I observed several implementation bugs such as improper speech recognition intent firing and copy/paste errors. It’s clear that the malware authors are continually experimenting with new methods to achieve their goal of extorting money from their victims. We can be certain this isn’t the last trick we’ll see from this threat family.
Symantec recommends users follow these best practices to stay protected from mobile threats:
- Keep your software up to date
- Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
- Pay close attention to the permissions requested by apps
- Install a suitable mobile security app, such as Norton, to protect your device and data
- Make frequent backups of important data
Symantec and Norton products detect the threat discussed in this blog as Android.Lockdroid.E.