Android.Lockdroid.E variants with new functionality emerged during the last quarter of 2015 as part of the continued Android ransomware evolution. These variants scare victims with a system error GUI and then reset the lockscreen password used to access the device. Even users who manage to remove the malware without resetting the device may be unable to use the phone because they won’t be able to get around the password the malware sets.
How does the malware reset the password?
The malware sets or resets the password (either a PIN or a pattern) for the device’s lockscreen by invoking the “resetPassword” method as seen in Figure 1. In order to invoke this method, the calling application must be a device administrator.
Figure 1. Android.Lockdroid.E variants set or reset the lockscreen password
How does Android Nougat prevent this?
The upcoming Android version, known as Android Nougat, will introduce a condition so that the invocation of the resetPassword API can only be used to set the password and not to reset the password.
Figure 2. A runtime error message when “resetPassword()” is invoked in a device running Android Nougat
This development will be effective in ensuring that malware cannot reset the lockscreen password, as the change is strictly enforced and there is no backward compatibility escape route for the threat. Backward compatibility would have allowed malware to reset the lockscreen password even on newer Android versions. With this change, there is no way for the malware to reset the lockscreen password on Android Nougat.
Disinfector tools will be affected
While the change will prevent malware from resetting the lockscreen password, it will not stop threats from setting the password on devices with no existing password.
The new feature will also affect standalone disinfection utilities, which also depend on the “resetPassword()” API. A disinfector utility is an automated tool designed to help users whose devices are infected with malware. The disinfector not only should clean the malware but also reset the arbitrary password set by the threat during its infection routine. Before Android Nougat, the disinfector calls the resetPassword() API to achieve this functionality. However, with Android Nougat’s new restrictions, the disinfector’s ability to call that API is bound to fail. This is likely to affect a small percentage of users who use disinfectors.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.