SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
DoubleLocker ransomware encrypts Android files and changes your PIN
Mon, 16th Oct 2017
FYI, this story is more than a year old

The world's first ever Android ransomware that abuses Android Accessibility Services has been called DoubleLocker in honour of its ability to change a device's PIN and encrypt the data on the device.

ESET researchers discovered what they call the ‘innovative ransomware', has ‘powerful tools' for money extortion – enough that it is the first of its kind targeting Android systems.

According to the researcher who discovered the malware, Lukáš Štefanko, DoubleLocker misuses Android's accessibility services.

DoubleLocker has its roots in the well-known banking Trojan called Android.BankBot.2.11.origin.

“Its payload can change the device's PIN, preventing the victim from accessing their device and also encrypts the victim's data. Such a combination hasn't been seen yet in the Android ecosystem,” Štefanko says.

He also says it would be simple to add capability for harvesting banking credentials and wiping accounts.

“The additional functionality would turn this malware into what could be called a ransom-banker.

DoubleLocker is distributed through a fake Adobe Flash Player app hosted on compromised websites.

When it is installed, it requests activation of ‘Google Play Service', gains accessibility permissions and device administrator rights.

“Setting itself as a default home app – a launcher – is a trick that improves the malware's persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn't know that they launch malware by hitting Home,” he explains.

The ransomware then changes the device's PIN to a random number that is not stored by the attackers, which means recovery is impossible.

However, if users pay the ransom demand, the attacker is able to remotely reset the PIN and unlock the device.

The second wave of the campaign locks all files on the device by encrypting them through the AES algorithm. Researchers say there is no way to recover files without getting the decryption key from the attackers.

Currently the ransom demand is 0.0130 bitcoins (US$54) and must be paid within 24 hours. If it is not paid in time, the data is not deleted but does still remain encrypted.

Although the attackers say that victims will not get their files back if they block or remove the ransomware, anyone with quality security solutions should be safe from it.

However, there is no way to get back data stored on the device. For those who are infected with DoubleLocker, there are two methods of recourse:

Factory reset the phone; or for rooted devices in debug mode before the ransomware installed, there is a way to get past the PIN lock.

“If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed,” researchers say.

“DoubleLocker serves as just another reason for mobile users to have a quality security solution installed, and to back up their data on a regular basis,” Štefanko concludes.