Story image

DoubleLocker ransomware encrypts Android files and changes your PIN

16 Oct 2017

The world’s first ever Android ransomware that abuses Android Accessibility Services has been called DoubleLocker in honour of its ability to change a device’s PIN and encrypt the data on the device.

ESET researchers discovered what they call the ‘innovative ransomware’, has ‘powerful tools’ for money extortion – enough that it is the first of its kind targeting Android systems.

According to the researcher who discovered the malware, Lukáš Štefanko, DoubleLocker misuses Android’s accessibility services.

DoubleLocker has its roots in the well-known banking Trojan called Android.BankBot.2.11.origin.

“Its payload can change the device’s PIN, preventing the victim from accessing their device and also encrypts the victim’s data. Such a combination hasn’t been seen yet in the Android ecosystem,” Štefanko says.

He also says it would be simple to add capability for harvesting banking credentials and wiping accounts.

“The additional functionality would turn this malware into what could be called a ransom-banker.”

DoubleLocker is distributed through a fake Adobe Flash Player app hosted on compromised websites.

When it is installed, it requests activation of ‘Google Play Service’, gains accessibility permissions and device administrator rights.

“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home,” he explains.

The ransomware then changes the device’s PIN to a random number that is not stored by the attackers, which means recovery is impossible.

However, if users pay the ransom demand, the attacker is able to remotely reset the PIN and unlock the device.

The second wave of the campaign locks all files on the device by encrypting them through the AES algorithm. Researchers say there is no way to recover files without getting the decryption key from the attackers.

Currently the ransom demand is 0.0130 bitcoins (US$54) and must be paid within 24 hours. If it is not paid in time, the data is not deleted but does still remain encrypted.

Although the attackers say that victims will not get their files back if they block or remove the ransomware, anyone with quality security solutions should be safe from it.

However, there is no way to get back data stored on the device. For those who are infected with DoubleLocker, there are two methods of recourse:

Factory reset the phone; or for rooted devices in debug mode before the ransomware installed, there is a way to get past the PIN lock.

“If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed,” researchers say.

“DoubleLocker serves as just another reason for mobile users to have a quality security solution installed, and to back up their data on a regular basis,” Štefanko concludes.

Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.