Android Ransomware Demands Victims Speak Unlock Code
23.2.2017 securityweek Android
A newly discovered Android ransomware variant that packs speech recognition capabilities demands that victims speak a code provided by the attackers to unlock their devices, Symantec warns.
Dubbed Android.Lockdroid.E, the malware has been targeting Android users for over a year, but appears to be under development still, as its author is testing out various capabilities. In addition to locking devices, the new variant leverages speech recognition APIs to determine whether the user has provided it with the necessary passcode to unlock the device.
Most ransomware would ask users to type a passcode to regain access to their smartphone, but Android.Lockdroid.E’s author is experimenting with additional capabilities, Symantec’s Dinesh Venkatesan reveals. Targeting Chinese speakers at the moment, the malware can lock the user out using a SYSTEM type window, after which it displays a ransom note.
Written in Chinese, the note provides users with instructions on how to unlock the device, and also includes a QQ instant messaging ID that users should contact to receive further instructions on how to pay the ransom. However, since the device is already locked, users need a second device to contact the cybercriminals behind the threat and receive an unlock code.
Additionally, the ransom note instructs the victim to press a button to launch the speech recognition functionality. The malware abuses third-party speech recognition APIs for this function, and compares the spoken words heuristically with the expected passcode. The lockscreen is removed if the input matches.
“For some cases, the recognized words are normalized to accommodate any small degree of inaccuracies that an automated speech recognizer is bound to,” Symantec’s researcher explains.
The image used for the lockscreen, as well as the passcode information are stored in the malware’s assets files, in encoded form with additional padding. The researcher managed to extract the passcode using an automated script and says that the threat uses different types of passcodes. In fact, a different passcode is used for each infection.
A previously discovered Android.Lockdroid.E variant was using an inefficient 2D barcode ransom demand, which also required users to have a second device for scanning purposes, thus making it difficult for users to pay the ransom. The new variant doesn’t get any better, as it too requires a second device to contact the cybercriminals.
“While analyzing these latest Android.Lockdroid.E variants, I observed several implementation bugs such as improper speech recognition intent firing and copy/paste errors. It’s clear that the malware authors are continually experimenting with new methods to achieve their goal of extorting money from their victims. We can be certain this isn’t the last trick we’ll see from this threat family,” Venkatesan notes.
As always, users are advised to keep their software up to date and refrain from downloading applications from unfamiliar websites, but use only trusted sources for these operations. Further, users should pay attention to the permissions requested by apps, should keep their data backed up, and should install a suitable mobile security app for additional protection.