Story image

DoubleLocker ransomware encrypts Android files and changes your PIN

16 Oct 2017

The world’s first ever Android ransomware that abuses Android Accessibility Services has been called DoubleLocker in honour of its ability to change a device’s PIN and encrypt the data on the device.

ESET researchers discovered what they call the ‘innovative ransomware’, has ‘powerful tools’ for money extortion – enough that it is the first of its kind targeting Android systems.

According to the researcher who discovered the malware, Lukáš Štefanko, DoubleLocker misuses Android’s accessibility services.

DoubleLocker has its roots in the well-known banking Trojan called Android.BankBot.2.11.origin.

“Its payload can change the device’s PIN, preventing the victim from accessing their device and also encrypts the victim’s data. Such a combination hasn’t been seen yet in the Android ecosystem,” Štefanko says.

He also says it would be simple to add capability for harvesting banking credentials and wiping accounts.

“The additional functionality would turn this malware into what could be called a ransom-banker.”

DoubleLocker is distributed through a fake Adobe Flash Player app hosted on compromised websites.

When it is installed, it requests activation of ‘Google Play Service’, gains accessibility permissions and device administrator rights.

“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home,” he explains.

The ransomware then changes the device’s PIN to a random number that is not stored by the attackers, which means recovery is impossible.

However, if users pay the ransom demand, the attacker is able to remotely reset the PIN and unlock the device.

The second wave of the campaign locks all files on the device by encrypting them through the AES algorithm. Researchers say there is no way to recover files without getting the decryption key from the attackers.

Currently the ransom demand is 0.0130 bitcoins (US$54) and must be paid within 24 hours. If it is not paid in time, the data is not deleted but does still remain encrypted.

Although the attackers say that victims will not get their files back if they block or remove the ransomware, anyone with quality security solutions should be safe from it.

However, there is no way to get back data stored on the device. For those who are infected with DoubleLocker, there are two methods of recourse:

Factory reset the phone; or for rooted devices in debug mode before the ransomware installed, there is a way to get past the PIN lock.

“If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed,” researchers say.

“DoubleLocker serves as just another reason for mobile users to have a quality security solution installed, and to back up their data on a regular basis,” Štefanko concludes.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.