Talking Android Ransomware Plagues Chinese Users

A new variation of Android lockscreen malware is doing the rounds in China, locking users out of their smartphones and delivering a ransomware message via a female voice.

‘Android/LockScreen.Jisut,’ a member of the well-known Jisut ransomware family, is able to reset the PIN code on Android devices and sets the user a price tag of 40 Yuan (roughly $6 or £4.80) in order to regain access.

“This talking Android ransomware spreads via a malicious dropper used to decrypt and run the payload,” writes ESET. “The infection process is activated after the user manually opens the malicious app and taps the “Click for free activation” button.

“Subsequently, the victim is asked to grant admin rights to the malware, making it difficult to remove or uninstall the app. On top of that, the device is locked down and the ransom voice message played.”

Android ransomware

But that’s not all. The malware has other malicious intentions, namely attempting to steal user credentials for the Chinese social network QQ.

It tries to trick users by displaying a fake login screen almost identical to that shown by the legitimate service. Any username of password entered is sent directly to the attackers, followed by a ransom demand and information on how to carry out the payment.

If the user manages to close the app, the malware changes the device’s PIN code to one unknown to the victim, locking them out of their phone or tablet.

To get rid of Android/Lockscreen.Jisut, ESET recommends manually revoking the admin rights to allow you to uninstall the app, carrying out a factory reset to return the device to its original state or using Android Debug Bridge to communicate with the device via command line.

The security warning for Android devices have been coming thick and fast over the last couple of months, despite Google’s constant attempts to patch flaws before they can be exploited.

So far this year we’ve seen warning of fake Super Mario Run apps that target financial data, the return of advertising malware HummingBad with boosted capabilities that make it harder to detect and a form or ransomware that disguises itself as a Pornhub app.

Quiz: Are you a security pro?