Lockdroid.E targets Android OS and is distributed through software downloaded from third party app stores. Disguised as a video player app, this variant uses clickjacking to gain administrative privileges on the infected device. It then encrypts data and changes the PIN code so the victim is no longer able to access the device. Additionally, Lockdroid.E threatens to delete all of the victim’s data and publish the victim’s browsing history to contacts stored within the device if the ransom is not paid.

UPDATE 2/6/2017: A new version, discovered by Symantec, includes a dropper component that scans infected Android devices to determine whether or not they have been rooted. If the device is rooted, it displays a screen that attempts to lure victims into giving it root access permissions in exchange for access to free adult movies. If the access is granted, LockDroid.E locks the device and displays a ransom screen with a QR code and ransom payment instructions. If the device is not rooted, LockDroid.E immediately locks the device and displays the same ransom screen and QR code, but does not gain root access or make any other system changes. This version is distributed through third-party applications, SMS messages, and download links posted in forums. A full reinstallation of the Android OS, also known as flashing, is required to regain functionality of the device and eliminate the malware.

UPDATE 2/23/2017: A new version incorporates the use of Baidu text-to-speech (TTS) and requires the victim to speak a code into the microphone of the infected device after paying the ransom in order to unlock it. It also displays a QQ Messenger address to allow for communication between the victim and attacker. Currently, this version is only impacting Chinese victims.

  • More information about Lockdroid.E can be found here.
  • The NJCCIC is not aware of any decryption tools available for Lockdroid.E.