The virus, also known as Lockdroid actually uses a very familiar, but in the same time not very widespread – dropper.
How the infection happens is that the virus can be inserted via an app installed from a third-party location with the authorization of the user. After this has happened the app will establish connection to a third-party host where automatically the lockscreen malware is dropped and executed, researchers(https://www.symantec.com/connect/blogs/android-ransomware-repurposes-old-dropper-techniques?es_c=50044&es_t=1486483247) report.
What is interesting about this case is that the app itself checks the root status of the device and if it is not rooted, it displays a screen that has deceitful messages for the user to confirm. This screen gives the application permissions to act.
Once it has been administratively activated, the app unmounts and mounts the /system partition of the Android device and then copies the malicious APK (package) file for the ransomware into that very partition. Then, the app changes the APK file which is the Lockdroid malware’s permissions to auto execute. After this horrendous activity is complete, the app restarts the device in a force mode and then locks it’s screen.
What is interesting is that the app displays a 2D type of barcode on the device in the lockscreen. In addition to it, it has instructions on how to scan this very barcode to perform a payment easily and unlock the android device. Malware researchers strongly advise users not to scan or pay anything and to try alternative tools to reset the phone after taking out your SIM card.
We have created the following instructions, in case you have become a victim of Android malware. They will help you get access to your phone again. But first, make sure to try and get your files back, because these instructions include the wiping of the device, so use them at your own risk.