This new threat is identical in behavior with the Locker A described in detail on our blog a couple of weeks ago and it is currently detected by Avira as Android/Locker.F.
This time the offending application is posing as a “Porn Player”, and just like before it requires unusual permissions like “take pictures and videos”, “read your contacts”, “modify or delete the contents of your SD card” and “run at startup” and just as before it’s requesting Device Administrator access.
After installation, it completely locks the device, disabling home and back buttons. Restarting the device has no effect as the application loads again at startup.
The attackers have updated the interface, adding a menu button instead of tabs, added a fake stamp and signature on the notice page, updated the FBI logo and slightly changed the texts of the “Notice” and “Legal information” sections .
The “evidence” for the alleged “violation” is in the form of pornographic content shown in the “Your Image” section, and for credibility the application also shows lists of recent calls, text messages and browser history.
In this version, the attackers have changed the payment method from Moneypak to PayPal My Cash, keeping the same amount – $500 for unlocking the device.
Just as before, we have the same recommendations for unlocking the device and preventing future infections :
Unlocking the device
The only method to regain control over your phone is to restart your phone in Safe Mode.
Here is the way to start your phone in safe mode for Galaxy S3, S4, HTC and Motorola, you may have to google around a bit for other models:
S4 – 1. Power down. 2. Turn on and repeatedly tap the soft-button for “Menu.”
S3 – 1. Power down. 2. Turn on, then press and hold Volume Down (Galaxy S3 and others), Volume Up (HTC One and others), or Volume Down and Volume Up together (various Motorola devices) when the vendor’s logo appears.
Once you have successfully entered safe mode, you can download any important files from your phone and then do a factory reset, either yourself or send the phone in service to have an expert do it.
Preventing future infections
The best way to make sure you don’t get infected with this ransomware is to only install software from the official Google Play store. By default Android phones have the installation from other sources disabled, so if you try to install an application that is not from Google Play, the system will display an “Install Blocked” warning, and in order to continue installing software you must manually enable installation from other sources :
We recommend that you press Cancel each time you see this window, and only install software from Google Play.
You can always tell if an application has bad intentions when you are seeing unusual permissions requested at installation such as reading contacts and running at startup.
Another warning sign is an app requesting Device Administrator access. You should never allow this kind of access to applications as this can result in erasing all data or your passwords being changed.