Android ransomware, first created and discovered last year by the ESET security team, took another step in its evolution by completely locking up users' devices with a PIN number. The new ransomware is called Android/Lockerpin.A and was also discovered by ESET.
Previously, such Android-based ransomware could only constantly bring up the ransom window in an infinite loop, as to appear that the device is locked, but users could eventually bypass it with the the ADB debugging tools or by restarting the device in safe mode and uninstalling the malware.
The new ransomware can gain "Device Administrator" privilege and then lock the phone with a PIN number, making it impossible to enter the OS. The malware still needs the user to act in order to gain Device Administrator privilege, so an "Update patch installation" message would have to be approved by the user for this to work.
If the user clicks on the Continue button, then the malware can lock the device with a PIN number, and the user will be asked to pay a $500 ransom for supposedly viewing forbidden pornographic material. The message is made to appear as if it comes from the FBI.
The users can uninstall the Android/Lockerpin.A ransomware by going into Safe Mode or using ADB, but this is only going to reset the PIN number with a randomly generated one that won't be sent to the attacker anymore. That means neither the user nor the attacker behind the ransomware will be able to unlock the device any longer.
Users can unlock the device only if they reset it to factory settings, but some of their data could be lost in the process.
The Android/Lockerpin.A ransomware comes with a few self-protection mechanisms that help it against manual uninstallation by the user or by anti-virus apps, which it tries to kill. The anti-virus apps against which it protects itself are ESET Mobile Security, Dr.Web and Avast. However, the team at ESET said that its anti-virus has its own self-protection mechanism against this type of behavior.
The way the ransomware is distributed is through an app called "Porn Droid." ESET discovered that 77 percent of the infected users were from the U.S. The good news is that the app can't be found on the Play Store, and users would have to manually enable "Unknown Sources" installation on their phones and then install the app from other third-party websites.
This is how most of the Android malware is in fact spread, so it's no surprise that the new ransomware is distributed this way, too. If you never install apps from sources other than the Play Store, then you should be reasonably safe against such malware. Otherwise, ESET recommended using its own mobile antivirus, which detects and stops the Android/Lockerpin.A ransomware.