“Another bit of Android ransomware has developed, equipped for changing PINs, locking gadgets and even completely wiping client information by means of factory resets”, Symantec scientists warn. Called “Lockdroid” (Android.Lockdroid.E) by Symantec, the new malware was discovered trap clients into furnishing it with gadget administrator rights. When it gets these rights, the malware can encode client files and perform different malicious operations, the security firm said.
As Symantec’s Martin Zhang clarifies in a blog post, the malware postures as an application for watching adult material and receives refined social engineering procedures to pick up administrator rights. After installation, it displays a fake “Software Installation” window that traps clients into actuating it as a device administrator, in this way empowering it to run its more forceful extortion.
The malware software is not just fit for encoding documents, performing factory resets and locking the gadget, yet it likewise keeps clients from uninstalling it through the command line interface or the UI (user interface), Symantec’s research found.
To show the fake Package Installation dialog, Lockdroid (Android.Lockdroid.E) utilizes a TYPE_SYSTEM_ERROR window, which is shown on the upper layer on the screen, in this way concealing the call to the device administrator asking for API. To dispense with doubt, after the client taps the “Continue” option on the fake window, the malicious program shows a fake dialog “Unloading the components “.
After a brief timeframe without doing anything, the malicious program shows a last “Installation is Complete” dialog, which is the stride where it increases higher benefits on the system. For that, it utilizes a TYPE_SYSTEM_OVERLAY window that is launched on top of the gadget administration activation dialog, effectively deceiving clients into actuating its gadget administrator rights.
As said by Symantic, cybercriminals can exploit clickjacking systems to perform different malware actions also. Root authorizations administration, an instrument that listens on the system for applications attempting to lift benefits to root (by calling “su”), shows a dialog to the client requesting authorization on behalf of the application before permitting it to continue, and malicious program can mishandle this for nasty purposes.
Google enhanced the security of Android in version 5.0 Lollipop by keeping the previously stated dialog sorts from showing over the system consent dialog, which implies that the clickjacking system can be utilized just on gadgets running OS emphases preceding Android 5.0. In any case, despite everything it implies that around 66% of the Android gadgets out there are at present vulnerable against this assault.
The great news, though, is the way that the offending app, called Porn “O” Mania, is not disseminated by means of Google Play, but rather can be found in torrent sites, forums and third-party stores. Symantec clarifies that clients with Google Play installed are shielded regardless of the fact that they download it from outside sources, in view of the Verify Application option in the Security segment of the Settings menu.
To ensure they are completely secured, nonetheless, clients ought to download and install apps just from trusted application stores. Moreover, they ought to have a security program empowered and installed on their gadgets, and ought to ensure that the gadget and its apps are stayed up with the latest at all time.
Android ransomware that progressions a gadget’s PIN code is not new – in September 2015, ESET scientists found a comparative bit of malware named Android/Lockerpin.A.