Android.Lockdroid.E variants with new functionality emerged during the last quarter of 2015 as part of the continued Android ransomware evolution. These variants scare victims with a system error GUI and then reset the lockscreen password used to access the device. Even users who manage to remove the malware without resetting the device may be unable to use the phone because they won't be able to get around the password the malware sets.

How does the malware reset the password?

The malware sets or resets the password (either a PIN or a pattern) for the device’s lockscreen by invoking the "resetPassword" method as seen in Figure 1. In order to invoke this method, the calling application must be a device administrator.



Figure 1. Android.Lockdroid.E variants set or reset the lockscreen password

How does Android Nougat prevent this?

The upcoming Android version, known as Android Nougat, will introduce a condition so that the invocation of the resetPassword API can only be used to set the password and not to reset the password.



Figure 2. A runtime error message when “resetPassword()” is invoked in a device running Android Nougat

This development will be effective in ensuring that malware cannot reset the lockscreen password, as the change is strictly enforced and there is no backward compatibility escape route for the threat. Backward compatibility would have allowed malware to reset the lockscreen password even on newer Android versions. With this change, there is no way for the malware to reset the lockscreen password on Android Nougat.

Disinfector tools will be affected

While the change will prevent malware from resetting the lockscreen password, it will not stop threats from setting the password on devices with no existing password.

The new feature will also affect standalone disinfection utilities, which also depend on the “resetPassword()” API. A disinfector utility is an automated tool designed to help users whose devices are infected with malware. The disinfector not only should clean the malware but also reset the arbitrary password set by the threat during its infection routine. Before Android Nougat, the disinfector calls the resetPassword() API to achieve this functionality. However, with Android Nougat’s new restrictions, the disinfector’s ability to call that API is bound to fail. This is likely to affect a small percentage of users who use disinfectors.

Mitigation

Symantec recommends users follow these best practices to stay protected from mobile threats:

Keep your software up to date

Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources

Pay close attention to the permissions requested by apps

Install a suitable mobile security app, such as Norton, to protect your device and data

Make frequent backups of important data



Protection

Symantec and Norton products detect the threats discussed in this blog as: