Skip to content ↓ | Skip to navigation ↓

A new Android ransomware is using pseudorandom passcodes in the hope that users will give in and pay the ransom.

Once Android.Lockscreen infects a device, it creates a custom System Error window that asks the user to enter in a passcode. Victims can obtain that passcode by talking with the ransomware’s authors.

SYSTEM_ERROR_WINDOW with instructions on how to unlock the device (Source: Symantec)

It wasn’t always this way. As Symantec senior threat analysis engineer Dinesh Venkatesan notes in a blog post:

“Older versions of this Trojan had the passcode used to unlock devices hardcoded in the sample’s code. Newer variants have eliminated the hardcoded passcode and replaced it with a pseudorandom number as seen in Figures 2 and 3. Some variants generate a six-digit number and some generate an eight-digit number.”

Figure 2. Pseudorandom number generator for six-digit code (Source: Symantec)
Figure 3. Pseudorandom number generator for eight-digit code (Source: Symantec)

A hardcoded passcode made it easy for security researchers to crack the ransomware, allowing victims to decrypt their files for free.

Not so with newer versions. That “Math.random()” function generates a unique number for each and every infection, meaning researchers have no control over what that number will be for victims.

Unfortunately, that’s not where Android.Lockscreen ends. Venkatesan elaborates:

“In addition to a customized lockscreen created using the System Error window type, the attackers also use device admin privileges to change the PIN of the Android device’s normal lockscreen.”

Now, there is hope for some Android users. Devices running Android Nougat are protected against this reset technique due to the presence of a feature that blocks ransomware from resetting a lockscreen PIN.

Phones running all earlier versions of the Android OS are vulnerable, however.

Android.Lockscreen represents just one example of the evolving Android ransomware threat. To help protect against an infection, users should avoid clicking on suspicious URLs and attachments, maintain an up-to-date antivirus solution on their devices, and keep their operating system up-to-date to the best of their ability.