Android users to face a new threat this season. A new form of Android Ransomware has been detected encrypting victims’ data and changing their PIN, making it next to impossible to restore back files without paying a ransom.
This DoubleLocker is a deadly combination of devious infection mechanisms with two powerful tools for extorting money from its victims.
In the words of Lukáš Štefanko, the malware researcher at security firm ESET who discovered DoubleLocker, “Its payload can change the device’s PIN, preventing the victim from accessing their device and encrypts the victim’s data. Such a combination hasn’t been seen yet in the Android ecosystem. DoubleLocker misuses Android accessibility services, which is a popular trick among cybercriminals.”
This ransomware is based on a banking trojan, which strongly implies that account compromising functionality might be easily added. Also, this Android Malware spreads in the same way as its PC parent, as a fake Adobe Flash Player update that is pushed via compromised websites.
The Way it works:
It starts with the app requesting the activation of the malware’s accessibility service, termed as ‘Google Play Service’. After the malware has obtained these accessibility permissions, it takes their refuge to activate the deactivated administrator rights and set itself as the default Home applications, in both the cases without even the user’s content.
To this, Štefanko regarded that, “Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence,” Štefanko said. “Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home”.
More on the DoubleLocker:
DoubleLocker, once properly placed on a compromised device, states two reasons for the victims to pay. First, it changes the device’s PIN, by carefully blocking the user from using it. Secondly, DoubleLocker encrypts all files from the device’s primary storage with the help of AES encryption algorithm.
The only possible way to restore back the data is to clean a non-rooted device of the DoubleLocker ransomware is with the usage of a factory reset. A way around the PIN lock on rooted devices is also possible for the recovery of encrypted files if not successful using the straightforward way.