Emerging Threats

New variant of Android ransomware takes advantage of the lockscreen's user interface


Authored by a Symantec employee

 

A new variant of Android ransomware has been discovered, which is displayed on the lockscreen’s user interface (UI). This threat,Android.Lockdroid.E, creates a lockscreen that appears more sophisticated and official by displaying fraudulent legal notices coupled with personal information gathered from the device. By using the information collected the ransom notice appears personally tailored to the victim. The malware also uses this flaw to display the personal data that it collects through an easy-to-access, official looking menu. These elements help the ransomware intimidate the victim into making the payment.

Android.Lockdroid.E compromises devices in one of two ways:

  • The user downloads a free software package on their device, which includes a popular browser hijacker. This hijacker then redirects the victim's search results to compromised sites hosting the Android ransomware.
  • The ransomware is disguised as a legitimate video app and is made available on unofficial app stores.

Once the Trojan has gained access to the device and is executed, it collects as much personal information it can upon launch. The sensitive information that is collected includes call records, SMS activity, and browser history. Once collected, the threat will then lock the device from use, using the new ransom notice on the lockscreen. The ransom then claims that the user has accessed prohibited content and that their device logs are in law enforcement’s custody.

Android.Lockdroid.E is not present or spread through the Google Play store, and is another example of why users should only download Android apps from a trusted source.

How To Stay Safe From This Threat

  • Keep your device’s software up to date.
  • Do not download apps from untrusted and unfamiliar sites.
  • Pay close attention to the permissions requested by an app. If it seems illogical that an app would request access to a part of the phone not needed for the app to function, such as a flashlight app requesting access to your address book, you might want to think twice about downloading that app.
  • Install a suitable mobile security app, such as Norton and Norton Halt, which is a first responder app that that alerts you about the latest, breaking security vulnerabilities and exploits in order to protect your device and data.
  • In the event that ransomware strikes, make sure you have made frequent backups of important data.


Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

© 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.