New Lockerpin Ransomware Steals PINs And Locks Devices For Ever

malware blocked stop

ESET researchers say Lockerpin is the first such kind of ransomware ever detected

A new form of ransomware that actively locks out users by burrowing into a phone’s software has been detected by security researchers.

Named Lockerpin by researchers at security firm ESET, the malware alters a phone’s PIN lock function, stopping users from accessing their device unless they pay a ransom of $S500 ransom for allegedly viewing and harbouring forbidden pornographic material.

ESET says this is the first time they’ve ever detected such a function in malware, marking it as extremely dangerous for users.


ransomwarePrevious Android LockScreen Trojans usually work by constantly bringing the ransom window to the foreground in an infinite loop, which although annoying, can be removed using debug programs.

However with Lockerpin, users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset that would also delete all their data.

The ransomware is also able to worm its way in to obtaining and keeping Device Administrator privileges, meaning it is extremely tricky for users to uninstall, as when users attempt to deactivate Device Admin for the malware, they will fail because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted.

Similarly to when Device Administrator is first activated by the Trojan, if a removal attempt is made the Device Administrator window is again overlaid with a bogus window, which when selected effectively reactivates the elevated privileges.

“This is the first case in which we have observed this aggressive method in Android malware,” the researchers say.

ESET say that the only way to remove the PIN lock screen without a factory reset is when the device is rooted or has a MDM solution capable of resetting the PIN installed, both of which should allow the users to regain full functionality.


phone passcodeLockerpin is downloaded by accessing a malicious app posing as an adult video app calling itself “Porn Droid”, which luckily cannot be found on Google Play.

ESET says that over 75 percent of the infected devices are in the USA, reflecting a trend where Android malware writers are shifting from mostly targeting Russian and Ukrainian users to largely targeting victims in America, where arguably they can make bigger profits.

A study by ESET earlier in the year found that ransomware is an increasingly dangerous proposition for many UK businesses, with over a third of UK companies having either personally been held to ransom by hackers, or know someone that has had their networks infected by ransomware.

Security firm McAfee Labs also warned earlier this month that ransomware attacks grew 127 percent from Q2 2014 to Q2 2015, with McAfee attributing this to a number of fast-growing new families such as CTB-Locker and CryptoWall, both of which hit the headlines earlier this year.

Are you a security pro? Try our quiz!