Mobile malware authors have come up with a new trick that helps Android.Lockscreen, a ransomware strain that targets Google's mobile OS, to start automatically whenever the user reboots his device.
Android ransomware is not as advanced as its Windows counterpart. Most of today's Android ransomware families lack the capability to encrypt user files, which greatly hinders their ability to extort users.
Android.Lockscreen is one of the most effective ransomware families because it locks the user's screen with a random PIN number. Security researchers from Symantec revealed a new tactic in Android.Lockscreen's operations, which now disguises its malicious code inside a "launcher app." Launchers are part of the Android OS responsible for managing some parts of the user interface. Because of this, these apps are launched automatically whenever the OS restarts.
Because Google limited app auto-start capabilities since Android 3.1, the only way a malware author can get auto-start privileges is if he disguises his malware as a launcher app. The reason why most don't is because very few Android users know what launcher apps are, let alone use them. This is just another Android.Lockscreen variation, which explores a novel method of infecting its users.
Ransomware disguising as generic "Android" launcher app
After installing the malicious launcher app, every time users will press the Home button, a popup will appear listing all the launcher apps, and asking which one the user wants to use. Symantec says it detected Android.Lockscreen hiding behind a launcher app that used the generic "Android" name.
"Users can prevent the malware from running by carefully selecting the default Android launcher, or any other legitimate launcher that they may have installed, and choosing 'Always' instead of 'Just Once'," the Symantec team recommends. If you find yourself infected with something Android.Lockscreen, but have yet to use the launcher app, go to your phone's Apps section and uninstall the app ASAP.