Emerging Threats

Android Lockdroid variants target Western regions and Japan

Authored by a Symantec employee


One of the most prevalent Android ransomware threats in the West has now expanded to Asia, choosing Japan as its first target. Android.Lockdroid was spotted on March 11th, and disguises itself as a system update. Once the ransomware detects that it’s installed on a device in a certain country, it displays the ransom message in that country’s language. This is the first type of “chameleon” ransomware we’ve spotted. Once the ransomware is installed and running on the device, it “phones home” to the cybercriminal’s server, and then uploads the device’s information to figure out the phone’s language. If it finds that the app is on a Japanese device, it pushes out a message in Japanese. If the user is located in the United States, the app displays the warning in English, users in Europe receive notices in their own languages, and so on. If the ransomware doesn’t have a ransom message in the language for the user’s region, the server then sends the message in English, posing as if it were coming from Interpol.

In all languages, the ransom message states that law enforcement has locked the device because the user has viewed or stored illegal pornography on the device. The warning asks the user to pay the fine using an iTunes card in order to get their device unlocked. The cost is around $100, depending where the victim is located. The app will also attempt to use scare tactics to get the user to pay- it will attempt to take a picture of the victim using the device’s camera, and will then add the photo as part of the ransom warning. In addition to these scare tactics, the malware will gather other data from the device such as the IP address, region, device model, OS version, and the name of the user.

In general, Android.Lockdroid needs to be manually downloaded by the user from adult sites to infect devices. It could also automatically arrive on the device when the user clicks on advertising links, which is known as malvertising, a form of malicious advertising.

This malware can also be tricky by posing as a pornographic video app and try to trick users into installing it. Other versions can appear as fake system updates and can attempt to deceive users into believing that a patch is required for their device’s operating system. This new campaign mainly distributes the malware disguised as system update variants.

This particular version will wait around 30 minutes or longer until it begins any activity. This is to avoid the detection of the malware by the user because it doesn’t want the user to suspect that the most recent app they’ve just installed is the cause of the issue.

How to Stay Protected:

  • Use a comprehensive security solution such as Norton Mobile Security as Norton products have the detections for the Android.Lockdroid variants seen in this campaign.
  • Only install apps from trusted sources
  • Pay close attention to the permissions requested by mobile apps
  • Back up your device frequently
  • Keep software up to date

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.