Story image

DoubleLocker ransomware encrypts Android files and changes your PIN

16 Oct 17

The world’s first ever Android ransomware that abuses Android Accessibility Services has been called DoubleLocker in honour of its ability to change a device’s PIN and encrypt the data on the device.

ESET researchers discovered what they call the ‘innovative ransomware’, has ‘powerful tools’ for money extortion – enough that it is the first of its kind targeting Android systems.

According to the researcher who discovered the malware, Lukáš Štefanko, DoubleLocker misuses Android’s accessibility services.

DoubleLocker has its roots in the well-known banking Trojan called Android.BankBot.2.11.origin.

“Its payload can change the device’s PIN, preventing the victim from accessing their device and also encrypts the victim’s data. Such a combination hasn’t been seen yet in the Android ecosystem,” Štefanko says.

He also says it would be simple to add capability for harvesting banking credentials and wiping accounts.

“The additional functionality would turn this malware into what could be called a ransom-banker.”

DoubleLocker is distributed through a fake Adobe Flash Player app hosted on compromised websites.

When it is installed, it requests activation of ‘Google Play Service’, gains accessibility permissions and device administrator rights.

“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home,” he explains.

The ransomware then changes the device’s PIN to a random number that is not stored by the attackers, which means recovery is impossible.

However, if users pay the ransom demand, the attacker is able to remotely reset the PIN and unlock the device.

The second wave of the campaign locks all files on the device by encrypting them through the AES algorithm. Researchers say there is no way to recover files without getting the decryption key from the attackers.

Currently the ransom demand is 0.0130 bitcoins (US$54) and must be paid within 24 hours. If it is not paid in time, the data is not deleted but does still remain encrypted.

Although the attackers say that victims will not get their files back if they block or remove the ransomware, anyone with quality security solutions should be safe from it.

However, there is no way to get back data stored on the device. For those who are infected with DoubleLocker, there are two methods of recourse:

Factory reset the phone; or for rooted devices in debug mode before the ransomware installed, there is a way to get past the PIN lock.

“If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed,” researchers say.

“DoubleLocker serves as just another reason for mobile users to have a quality security solution installed, and to back up their data on a regular basis,” Štefanko concludes.

What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
"Is this for real?" The reality of fraud against New Zealanders
Is this for real? More often than not these days it can be hard to tell, and it’s okay to be a bit suspicious, especially when it comes to fraud.