Android ransomware can reset device’s security PIN code

CISOs need to spread a warning to Android users on staff that a new screen-locking ransomware is spreading, according to researchers at security vendor ESET.

Dubbed Android/Lockerpin.A, the malware randomly resets any PIN screen lock the user has set to ensure security. And while the attackers send a phoney FBI warning users are being fined US$500 for viewing pornography, the ransom is a hoax: Even if you pay it the device can’t be unlocked because the malware creates random PIN numbers that the attackers don’t have.

In a blog the company says “users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset that would also delete all their data.”  The malware also preserves Device Administrator privileges so it can prevent uninstallation.

How is it spread? So far, by users downloading an app called Porn Droid for viewing video from porn sites. It can be prevented by urging employees not to go to porn sites, and to only download Android apps from Google Play or completely trusted sites.

After a successful installation, Lockerpin.A  tries to covertly obtain Device Administrator privileges. An  activation window is overlaid with the Trojan’s malicious window pretending to be an “Update patch installation.” As the victims click through this innocuous-looking installation, ESET says, they also unknowingly activate the Device Administrator privileges in the hidden underlying window.

Users know they’ve been nailed if the see this screen:


The user can uninstall the malware either by going into Safe Mode or using Android Debug Bridge (ADB). However, after any ransom activity the PIN will be reset and neither the owner nor the attacker can unlock the device except to reset to factory defaults – if device is not rooted.

Based on ESET customer statistics, most of the infected Android devices so far (over 75 per cent) are in the U.S. This backs up a trend where Android malware writers are shifting from mostly targeting Russian and Ukrainian users to largely targeting victims in America, the vendor says, where arguably they can make bigger profits.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web