Anurag Shandilya & V.Dhanalakshmi, K7 Computing

It is perilous, irrespective of platform or OS, to allow a third-party application to modify a smart device’s security settings such as device PIN, especially without explicit user consent. Unfortunately third-party modification of device PIN is, in fact, possible on Android, and cybercriminals have spotted this ripe opportunity for exploitation.

Apart from the standard use of device PIN to prevent unauthorized device access, from Lollipop (Android 5.0) and above, device PIN also plays a major role in decrypting user data during the boot process. The Doublelocker ransomware locks out a victim from accessing the infected Android device by resetting the device PIN, and causes further damage by carrying out file-based encryption on the victim’s user data. The damage is irreparable since removing the ransomware ultimately requires a factory reset, resulting in data loss and, potentially, financial loss. If we were to consider a nightmare scenario in the age of the Internet of Things (IoT), where smartphones can be used to remotely control smart room temperature and smart door locks, an infection by such ransomware could even prove fatal.

Resetting a device’s PIN and then demanding a ransom is not actually a new phenomenon. In the past ransomware families like Android LockerPIN and Lockscreen/Jisut have performed device PIN reset by calling Android DevicePolicyManager APIs such as ‘resetPassword’ and ‘LockNow’ with DeviceAdmin privileges, which in turn invoke the method ‘com.android.settings/.ChooseLockPassword’. Doublelocker too employs the aforementioned set of APIs to reset device PIN, and all 3 ransomware families adapt this technique to achieve the desired effect on the latest versions of the Android OS.

From Oreo (Android 8.0) and above, it has been possible to employ Android Debug Bridge (ADB), a powerful tool to interact with the Android device at system level, to set or modify device PIN/pattern. This presents yet another opportunity for exploitation. For example, a malware APK running with root privileges could leverage the same system-level APIs used by ADB to change device PIN/pattern. Alternatively an attacker could potentially use ADB on an infected PC to modify device PIN/pattern on an USB-connected Android device.

This presentation will describe in detail strategies used by the Lockscreen/Jisut, LockerPIN and Doublelocker malware families to modify device security settings, the methods to identify these malicious techniques, and the security measures which would help platform developers, security vendors and device users to prevent such attacks. The presentation also explores new Android security holes and how they can be leveraged by an attacker, exemplified by a live demo of the exploitation of one such security issue that renders a device inaccessible by modifying its device security settings.