This talking Android ransomware spreads via a malicious dropper used to decrypt and run the payload. The infection process is activated after the user manually opens the malicious app and taps the \u201cClick for free activation\u201d button at the bottom of the displayed picture.<\/p>\n
![](\"http:\/\/www.welivesecurity.com\/wp-content\/uploads\/2017\/02\/4-1qxf4.png\")
<\/p>\n
Figure 1 Talking Jisut mimics Lockerpin, changing the original PIN code of the infected device to lock the user out<\/p>\n<\/div>\n
Subsequently, the victim is asked to grant admin rights to the malware, making it difficult to remove or uninstall the app. On top of that, the device is locked down and the ransom voice message played.<\/p>\n
In addition to extortion, the talking Jisut variant has other intentions \u2013 one example being its attempt to elicit users\u2019 credentials for the Chinese social network QQ.<\/p>\n
The malware attempts to dupe users by displaying a fake login screen, similar to the original one used by the service. Any username or password entered by the user is sent directly to the attacker.<\/p>\n
This activity is followed by a ransom demand and information on how to proceed with the payment appears on the user\u2019s screen. There\u2019s no way out: if the user somehow manages to close the activity, it only makes matters worse. The device\u2019s own security feature \u2013 PIN lock \u2013 is reset to a new entry code, one unknown to the victim.<\/p>\n
![](\"http:\/\/www.welivesecurity.com\/wp-content\/uploads\/2017\/02\/2-yp3e6.png\")
<\/p>\n
Figure 2 \u2013 Fake QQ login screen, trying to elicit the user\u2019s credentials<\/p>\n<\/div>\n
![](\"http:\/\/www.welivesecurity.com\/wp-content\/uploads\/2017\/02\/3-106spe.png\")
<\/p>\n
Figure 3 \u2013 Lock-screen with ransom demand<\/p>\n<\/div>\n
Talking lock-screen is merely one of the new Jisut malware family variants seen over the past year, with the overall number of detections seen by ESET doubling compared to 2015. However, not all of those detected were extorting victims. In fact, some were just trying to sell the app or its source code, or instead, simply locked the device without demanding any ransom.<\/p>\n
Variants that asked for money often made the process of paying the ransom simpler and more straightforward by adding a QR code that allowed the user to either send a message to the attacker or to make a direct payment.<\/p>\n
The majority of Jisuts had only a visible effect\u2013 changing the device\u2019s wallpaper, or audible activity \u2013 playing a sound in the background. This reinforces our previously published belief it wasn\u2019t created for purely financial reasons, but also as a prank.<\/p>\n
Jisut family is most widespread in China and it is most probably the work of a gang, one that doesn\u2019t care much about anonymity. Some of the past ransomware nag screens included contact information at the Chinese social network QQ and urged victims to contact the authors to get their files back. If the information at QQ is valid, these malware operators are youths between 17 and 22 years old.<\/p>\n
The first variants of Android\/LockScreen.Jisut started appearing in the first half of 2014. Since then, we have detected hundreds of variants displaying different ransom messages, however all based on the same code template. In addition to the ransomware aspect, some variants are spread via an SMS message with a URL link to the malware to all of the user\u2019s contacts.<\/p>\n
To find out more about ransomware on Android, its current trends and most noteworthy examples since 2014, read the newly released whitepaper by ESET<\/a>. You\u2019re also welcome to stop by at ESET booth B05, in hall 5, at this year\u2019s Mobile World Congress<\/a> held in Barcelona, February 27th \u2013 March 2nd, 2017.<\/p>\n How to get rid of Android\/Lockscreen.Jisut<\/b><\/p>\n There are three ways to get rid of the malware if your device has been infected:<\/p>\n Video Player<\/span><\/p>\n\n