Android ransomware changes a device's PIN code

10.09.2015
Researchers at security company ESET have found a type of malware that changes an Android device's PIN, the first of its kind in an ever-evolving landscape of ransomware attacks.

For most users, the only option to get rid of the malware is to reset the phone to its factory settings, which unfortunately also deletes all the data on the device.

The malware calls itself "Porn Droid" and bills itself as a viewer for adult content. It has only been seen on third-party Android application marketplaces or forums for pirated software, wrote Lukas Stefanko, an ESET malware analyst.

But after it's installed, users see a warning supposedly from the FBI that they've allegedly viewed "prohibited pornography." It asks for a US$500 fine to be paid within three days.

To change the device's PIN, Porn Droid needs administrator-level access to the phone.  Stefanko wrote that the malware uses a new method to obtain that high level of access.

When Porn Droid runs, it asks people to click a button to activate the viewer app. But beneath that window, and obscured by it, is another button for setting device administer privileges.

"After clicking on the button, the user's device is doomed," Stefanko wrote. "The Trojan app has obtained administrator rights and now can lock the device. And even worse, it sets a new PIN for the lock screen."

Other kinds of Android malware locked the screen by keeping the ransonware warning in the foreground using an infinite loop. But that could be remedied by using a command-line tool, the Android debug bridge, or deactivating admin rights in Safe Mode, according to Stefanko.

In the case of Porn Droid, if someone tries to deactivate the admin privileges, the malware uses a call-back function to reactivate them, Stefanko wrote.

The malware is also coded to try to shut down three mobile antivirus products: Dr. Web, ESET's Mobile Security and Avast. 

More advanced users may be able to get rid of Porn Droid without resetting and erasing all data on their phone. It is possible to remove the malware if a user has root privileges to the device, and some security software can stop it, Stefanko wrote.

Ransomware attacks, both desktop and mobile, have become some of the most persistent and damaging scams on the Internet. One of the most prevalent scams is encrypting a person's files and asking for money for the files to be decrypted.

Security experts generally advise not paying the ransom, as in many cases fraudsters never bother to fix the victim's computer.

Jeremy Kirk