My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

New ransomware sets unlock password on compromised Android handhelds

September 10, 2014

The rise in ransomware for Android indicates that cybercriminals are getting increasingly more interested in this method of generating illicit profits. Most known programs of this kind follow a common pattern: when launched, they lock an infected device and demand a ransom to unlock it. However, an extortionist Trojan, recently discovered by Doctor Web's security researchers, is equipped with a wider array of features. In addition to locking a device and demanding a ransom, it can also set a screen unlock password by activating a standard system feature. Moreover, the malware can send short messages which can potentially inflict even greater damage to the user's finances.

Dubbed by Dr.Web as Android.Locker.38.origin, the new malicious locker represents a growing family of ransomware that locks handhelds and demands a ransom to unlock them. This Android extortionist is spread in the guise of a system update. When launched, it requests access to the device's administrative features. After that the Trojan mimics update installation, removes its icon from the home screen, reports back to a remote server that the infection has been successful and awaits further instructions.

screen screen screen

The command to lock the targeted device can be given via a JSON request from a web server as well as via an SMS message containing the directive set_lock. Similarly to other ransomware of the Android.Locker family, Android.Locker.38.origin locks the device's screen and shows a ransom demand that can't be closed.


However, if the affected user still tries to delete the extortionist by depriving it of administrator privileges, Android.Locker.38.origin engages an additional lock. This ability distinguishes it from other similar threats for Android.

First, the Trojan switches an infected device into standby mode by using the standard phone feature to lock the screen. Once the lock screen is turned off, the malicious program displays a fake warning that all the data stored in the device's memory has been removed.


Once a selected action is confirmed, the ransomware brings up the lock screen again and activates a feature that requires the user to enter a password to toggle off the standby mode. Even if the feature hasn’t been used before, the malicious locker sets its own password: "12345". Thus, the infected smart phone or tablet is locked until the criminals involved get their ransom (the lock can be removed with the set_unlock command) or the user resets all the device's settings to default.

In addition to locking handhelds, Android.Locker.38.origin can also act as an SMS bot and send various messages when commanded to do so by criminals. This can result in additional financial losses for the user.

Devices running Dr.Web Anti-virus for Android are well protected from this malicious program.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments