Android Ransomware

A new variant of the Lockdroid Android ransomware has chosen a unique way of unlocking devices by asking users to speak a code provided after paying the ransom.

This ransomware, one of the oldest families on the Android market, has seen a lot of changes lately, with crooks experimenting with various methods through which victims can get in contact with the ransomers.

Past versions had used the classic route of displaying an email address in the ransom note, but at the beginning of the month, Lockdroid was started showing a 2D barcode on the device's screen, that victims needed to scan to get receive an URL where they could pay the ransom.

Lockdroid's new experiment

Based on a new report from Symantec, it appears that crooks were only experimenting with the 2D barcode system, as they have now dropped it in favor of a new contact method.

This time around, Lockdroid operators are listing a QQ instant messaging username at the bottom of their ransom screen, as seen below.

Smartphone device locked by a Android.Lockdroid.E ransomware version that uses QQ as a contact method
Smartphone locked by a Android.Lockdroid.E ransomware version that uses QQ as a contact method (via Symantec)

Users are told to message this ID and get in contact with the ransomer. What follows is a negotiation between the two, and after making a payment, the victim receives a four-string unlock code.

Lockdroid uses Baidu TTS to handle unlock operations

To unlock a device, the user is told to hold down a button and speak the unlock code.

This is the first time we've seen ransomware use TTS (text-to-speech) functions to handle the unlock operations. Versions of the Cerber desktop ransomware and other smaller families had used TTS features to read the ransom note out loud, but nothing else.

Lockdroid's current campaigns appear to be focusing mainly on the Chinese market, as the ransomware deploys ransom notes only written in Chinese, uses a Chinese-based instant messaging service, and the Baidu TTS API for speech recognition.

This Lockdroid strain uses a unique code for each victim, but according to Symantec's Dinesh Venkatesan, a security researcher might be able to recover this code if he can access the phone's filesystem, as the ransomware stores the unlock code in one of its /Assets files.

"While analyzing these latest Android.Lockdroid.E variants, I observed several implementation bugs such as improper speech recognition intent firing and copy/paste errors," Venkatesan says. "It's clear that the malware authors are continually experimenting with new methods to achieve their goal of extorting money from their victims. We can be certain this isn't the last trick we'll see from this threat family."

The best way of avoiding Android ransomware is to avoid installing applications from outside the official Play Store, and by not giving mobile apps more permissions than they're required to do their job.