Android.Lockerscreen adds unique features to ensure victims pay their ransoms.
Android.Lockerscreen adds unique features to ensure victims pay their ransoms.

In order to ensure their ransom is paid the criminals behind the Android.Lockerscreen ransomware have started using pseudorandom numbers to prevent their victims from unlocking their devices for free.

Earlier versions of the malware contained passwords that were hardcoded into the trojan itself, but researchers were able to reverse engineer these codes and unlock phones without users having to pay the ransom, Symantec wrote in a September. 27 blog post.

To prevent this, the malware authors did away with the hardcoded passwords and introduced a pseudorandom passcode generator that generates a unique six or eight digit number using the "Math.Random()",  function for every infection.

“There are few cases where the author of the malware uses the base number as the infection ID and leaves it in the screen, so adding a particular offset to that ID will yield the lock key,” Symantec Principal Threat Analysis Engineer Dinesh Venkatesan told SCMagazine.com via emailed comments. “In a few other cases, the entire key would be kept random without a base number.

He said in those cases the malware author has the additional overhead expense of maintaining a database with the unique infected users and the keys.

As an extra layer of defiance, the ransomware includes an attack which uses the device's admin privileges to change the PIN on an Android device's lock screen. Researchers also noted that these trojans are being created directly on mobile devices before being distributed.

The malware is spread when the victims are tricked using social engineering to download it from websites or third party app stores. Once infected, the trojan creates a custom System Error window which is imposed on on top of every visible user interface on the compromised device.

In one instance researchers spotted a variant displaying an intimidating message telling the victim to enter a passcode which can only be obtained by communicating with the attacker.

Researchers recommend users keep their software updated, refrain from downloading apps unfamiliar apps or anything from untrusted sources, pay close attention to requested permissions, install mobile security apps, and frequently back up their data.