Android Nougat will prevent malware from resetting device passwords

Google to the rescue?

The forthcoming version of Android - dubbed Nougat - will prevent ransomware and other nasties from invoking the "resetPassword" API, preventing them from resetting a device's password, locking out hapless users.

The long-overdue new security measure follows on from the propagation of the Android.Lockdroid.E ransomware and variants from late-2015.

According to Dinesh Venkatesan at Symantec: "These variants scare victims with a system error GUI and then reset the lockscreen password used to access the device. Even users who manage to remove the malware without resetting the device may be unable to use the phone because they won't be able to get around the password the malware sets."

The malware, he adds, is capable of resetting either a PIN or pattern-style password in Android by invoking the "resetPassword" API. "In order to invoke this method, the calling application must be a device administrator," adds Venkatesan.

He continues: "The upcoming Android version... will introduce a condition so that the invocation of the resetPassword API can only be used to set the password and not to reset the password.

"This development will be effective in ensuring that malware cannot reset the lockscreen password, as the change is strictly enforced and there is no backward compatibility escape route for the threat. Backward compatibility would have allowed malware to reset the lockscreen password even on newer Android versions. With this change, there is no way for the malware to reset the lockscreen password on Android Nougat," he suggested.

However, the measure won't protect users who (foolishly) have no existing password set.

Venkatesan concluded: "The new feature will also affect standalone disinfection utilities, which also depend on the "resetPassword()" API. A disinfector utility is an automated tool designed to help users whose devices are infected with malware.

"The disinfector not only should clean the malware but also reset the arbitrary password set by the threat during its infection routine. Before Android Nougat, the disinfector calls the resetPassword() API to achieve this functionality. However, with Android Nougat's new restrictions, the disinfector's ability to call that API is bound to fail."