Android.Lockdroid.E has been seen using a dropper technique to drop a version of itself on rooted Android devices. While this is not an uncommon technique, this is the first time we've seen it used to deliver ransomware to Android devices. In addition to this relatively effective technique, the same attackers have implemented a rather ineffective 2D barcode technique in an effort to receive payment from users affected by this threat.
The malware that is used to drop Android.Lockdroid.E is spread through third-party app stores, as well as deceptive text messages and forum posts. It will attempt to drop a version of itself on rooted device, or simply lock devices that have not been rooted. When it is installed on a device, it checks to see whether the device has been rooted. If the device has been rooted, it displays a screen claiming that root access permission is required to access to thousands of adult movies for free to entice users to click on it. If the user clicks on the okay button, it will drop a version of itself by:
- Remounting the /system partition
- Copying the embedded APK file for Android.Lockdroid.E contained in the assets folder into /system/app/[THREAT NAME].apk
- Change Changing the dropped APK file's permission to executable
- Rebooting the device so the threat can run on boot completed as a system application
Figure 1. APK is dropped into /system/app/[THREAT NAME].apk
When the threat becomes a system application, it cannot be easily uninstalled from the device. Once this is complete and Android.Lockdroid.E has been successfully dropped on the device, Lockdroid.E locks the device and displays the ransom screen and 2D barcode.
If the device has not been rooted, Lockdroid.E immediately locks the device and displays the ransom screen and barcode. In this case, it does not drop anything onto the compromised device.
A difficult ransom to pay
When the Trojan locks the device, it displays the following screen with a 2D barcode and instructions to pay the ransom:
Figure 2. Android.Lockdroid.E lockscreen with 2D barcode
The instructions ask the user to scan the barcode to log in to a messaging app to pay the ransom. While this may seem like a good idea to have victims pay the ransom for their device, it is ineffective in practice. There is no way to scan the barcode or log in to the messaging app from the compromised device, so the barcode must be scanned from a second device. This makes it more difficult for the victim to pay their ransom and for the attacker to receive payment.
As cybercriminals continue to develop new techniques and repurpose old ones, Symantec recommends users follow these best practices to stay protected from mobile threats:
- Keep your software up to date
- Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
- Pay close attention to the permissions requested by apps
- Install a suitable mobile security app, such as Norton, to protect your device and data
- Make frequent backups of important data
Symantec and Norton products detect the threat discussed in this blog as Android.Lockdroid.E.