Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Back to news

New ransomware sets unlock password on compromised Android handhelds

September 10, 2014

The rise in ransomware for Android indicates that cybercriminals are getting increasingly more interested in this method of generating illicit profits. Most known programs of this kind follow a common pattern: when launched, they lock an infected device and demand a ransom to unlock it. However, an extortionist Trojan, recently discovered by Doctor Web's security researchers, is equipped with a wider array of features. In addition to locking a device and demanding a ransom, it can also set a screen unlock password by activating a standard system feature. Moreover, the malware can send short messages which can potentially inflict even greater damage to the user's finances.

Dubbed by Dr.Web as Android.Locker.38.origin, the new malicious locker represents a growing family of ransomware that locks handhelds and demands a ransom to unlock them. This Android extortionist is spread in the guise of a system update. When launched, it requests access to the device's administrative features. After that the Trojan mimics update installation, removes its icon from the home screen, reports back to a remote server that the infection has been successful and awaits further instructions.

screen screen screen

The command to lock the targeted device can be given via a JSON request from a web server as well as via an SMS message containing the directive set_lock. Similarly to other ransomware of the Android.Locker family, Android.Locker.38.origin locks the device's screen and shows a ransom demand that can't be closed.

screen

However, if the affected user still tries to delete the extortionist by depriving it of administrator privileges, Android.Locker.38.origin engages an additional lock. This ability distinguishes it from other similar threats for Android.

First, the Trojan switches an infected device into standby mode by using the standard phone feature to lock the screen. Once the lock screen is turned off, the malicious program displays a fake warning that all the data stored in the device's memory has been removed.

screen

Once a selected action is confirmed, the ransomware brings up the lock screen again and activates a feature that requires the user to enter a password to toggle off the standby mode. Even if the feature hasn’t been used before, the malicious locker sets its own password: "12345". Thus, the infected smart phone or tablet is locked until the criminals involved get their ransom (the lock can be removed with the set_unlock command) or the user resets all the device's settings to default.

In addition to locking handhelds, Android.Locker.38.origin can also act as an SMS bot and send various messages when commanded to do so by criminals. This can result in additional financial losses for the user.

Devices running Dr.Web Anti-virus for Android are well protected from this malicious program.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040