New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom. Previous versions of these threats locked the screen and used a hardcoded passcode, but analysts were able to reverse engineer the code to provide victims with the passcode to unlock their devices.

Attackers have also combined a custom lockscreen with the device’s lockscreen to create an additional hurdle for those infected. Similar to some other mobile threats we’ve observed, these Trojans are being created directly on mobile devices before being distributed. Symantec detects these threats as Android.Lockscreen.