A new version of an old Android ransomware called Android.Lockdroid.E has emerged. The first variant of the infection was released about a year ago. Since then, there have been two notable modifications. The latest build exhibits an unusual characteristic. The program sends each victim a private code and asks them to say it out loud.
This version of Android.Lockdroid.E was discovered by security researchers at Symantec. The speech recognition capability is an advanced function which indicates that the hackers are challenging their technological prowess.
Symantec explained how the ransomware works. The virus locks the user out of his mobile device. It uses a SYSTEM type window which appears prior to the ransom note being displayed. Since the virus is distributed in China, the note is written in Chinese. It does not give instructions on how to pay the ransom.
In order to receive further instructions, you have to request them. This is where the speech recognition function comes into play. The ransom note contains a QQ instant messaging ID which the victim must speak into a mobile device. Only then he will get information on how to pay the ransom.
The process is complicated. Since your device is locked, you have to use another one to communicate with the cyber criminals. Once you contact them, the ransom note will instruct you to press a button to prompt the speech recognition function. The program uses a third party speech recognition API to compare your voice message with the code you have been assigned.
Symantec dedicated a blog post to Android.Lockdroid.E where they explained the technology behind the ransomware: “The malware stores the lockscreen image and the relevant passcode in one of its Assets files in encoded form with additional padding. I was able to extract the passcode using an automated script. Figure 2 shows a couple of examples of the types of passcodes the threat uses. It should be noted that the threat will use a different passcode for each infection.”
The first modification to Android.Lockdroid.E involved using a barcode
As we previously stated, the developers of the ransomware experimented with its code on a couple of occasions. The first time they tried to include a different feature, the concept turned out to be a flop. The first modification embedded an inefficient 2D barcode ransom demand. As with the present version, the victim had to use another device. The barcode needed to be scanned, as it was used to log into a messaging app. The hackers conveyed instructions on paying the ransom through the app.
Examining the current version of Android.Lockdroid.E, experts concluded that this version is not a successful venture, either. There are several bugs, as the speech recognition function has difficulty recognizing the spoken words. Time will tell whether the renegade developers will be able to improve their craft.
