Android ransomware mimics launcher to evade security

android-phoneNew variants of an Android ransomware called “Android.Lockscreen” are defining themselves as part of the launcher category in order to get around security measures that prevent Android apps from auto-starting upon installation.

The ransomware works by displaying a locked screen on infected devices, which prevents users from accessing their phones without the assistance of the attackers.

But the malware only locks users’ devices; it doesn’t encrypt their data. Victims should be able to us an anti-malware solution to delete the malware and once again access their phones.

Android Lockscreen: Attackers demand a phone call
Whenever a user first comes into contact with Android.Lockscreen, the ransomware asks for a number of permissions, including the ability to access and change the Wi-Fi state, end background processes, and access a list of current or recently running tasks.

Unsuspecting victims help to install the malware, and the malicious app displays an icon of a red-haired boy riding a bicycle, according to a technical write-up about the trojan.

Once someone executes the program, the ransomware creates a process known as “killserve” before locking the device with a password. It then demands that the victim contact the attackers to receive the password.

Abusing the launcher category to auto-start
The trojan can execute only if the malicious application launches after installation. Android’s developers made it that way with the release of Android 3.1 (Honeycomb). For that version of Google’s mobile operating system, they created a new feature that blocks applications from silently and automatically launching upon installation.

Since then, attackers have tried to circumvent the feature via a number of ways. Most have used social engineering techniques. But a few others have relied on more creative tactics.

In the newest variants of Android.Lockscreen, for example, the ransomware defines itself as part of the launcher category to disguise itself as Android’s legitimate home screen. Whenever a user clicks the home button, the app will trigger. All that remains is for the victim to select the ransomware’s fake launcher as their device’s home app.

It’s not an impossible task. Dinesh Venkatesan of Symantec explains that Android.Lockscreen has a language-based advantage:

The malware was named Android for two reasons, he says: Firstly, since the launchers are listed alphabetically the malware will be listed above Android’s default launcher (named ‘Launcher’), secondly, the name ‘Android’ may make some users believe the launcher is legitimate and part of the Android OS.”

Clicking “Android” in this case launches the malicious app, which executes Android.Lockscreen and causes the trojan to lock the victim’s device.

Building on other unique tactics
This isn’t the first time Android.Lockscreen has made news in 2016.

In September, the ransomware earned some media coverage for the implementation of a script that generates a pseudorandom number for the lock screen’s password.

Earlier variants unlocked the screen if users entered a password that was hard coded into the trojan. But the authors of Android.Lockscreen decided to update their code, as security researchers could have easily leveraged a hardcoded password to build a tool that would have allowed victims to regain access to their devices without the attackers’ help.

What users can do to protect themselves
Symantec Threat Intelligence Officer Val Saengphaibul has some advice for how users can protect themselves against Android.Lockscreen:

“To stay protected, Symantec recommends consumers keep their software up-to-date and avoid downloading apps from unfamiliar sties and only install mobile apps from a trusted source. Symantec also suggests consumers pay close attention to the permissions that their mobile apps are requesting and install a mobile security app, such as Norton, to protect and safeguard their device and data.”

For even more ransomware news and information, visit the FightRansomware.com homepage today.

  • Facebook
  • Twitter
  • Google +
  • LinkedIN
  • Pinterest