Android ransomware shuts out users by changing lock PIN

A new strain of Android ransomware is able to shut device owners out of their phone by resetting their lock screen PIN, researchers have found.

Dubbed Android/Lockerpin.A by infosec firm Eset, the ransomware works by tricking users into allowing the malicious application device administrator privileges. 

LockerPin.A is spread through social engineering, luring users to download and install a trojan horse app called "Porn Droid". The ransomware appears to be similar to the malicious software discovered by security vendor Zscaler in May this year.

Once installed, LockerPin.A overlays a fraudulent patch installation window on top of an activation notice which when clicked on by the user, grants the malware rights to make changes to device settings.

Lockerpin.A then resets the personal identification number (PIN) the user has set to unlock the screen to a randomnly generated set of digits, shutting them out of their device.

To get back in, users are told to pay a US$500 ransom for "allegedly viewing and harbouring forbidden pornographic material".

The malware also ensures users can't deactivate the admin rights for the ransomware by registering a call-back function to reactivate the privileges when the user attempts to remove them.

Phone owners can get back into their device if it is rooted or if they have a mobile device management solution that allows them to reset the PIN.

The only other option to regain control is by performing a factory reset, which would result in a user losing all their data.

"After clicking on the button, the user's device is doomed," Eset researcher Lukas Stefanko wrote in a blog post.

"Users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset that would also delete all their data.

"Moreover, this ransomware also uses a nasty trick to obtain and preserve device administrator privileges so as to prevent uninstallation."

The ransomware is the first of its kind known to set a device's PIN lock.

Previous versions of similar Android trojans achieved screen-locking by bringing the ransom window to the foreground in an infinite loop, Eset said.

But users could get rid of the malware by unlocking the device with Android Debug Bridge (ADB) or deactivating administrator rights and uninstalling the malicious application in safe mode.

The real-world threat of the malware is low given it is available in third-party application stores, and presents itself as an app for pornography.