Posted on October 17, 2017 at 4:19 PM
DoubleLocker has the power to encrypt your data and permanently change your PIN to lock your phone forever.
Security researchers from ESET, recently discovered a new ransomware which infiltrates Android devices using a technique that was previously employed by Trojans. The ransomware can encrypt a user’s device as well as modify the device’s PIN.
The ransomware, called DoubleLocker, due to its two-way locking of the device, has been designed in such a way to frustrated users to the extent of relenting and paying the ransom fee. The ransomware imitates an Adobe Flash update that’s being spread by compromised websites.
After DoubleLocker has been downloaded on a victim’s device, the impostor Adobe Flash app requests permission for Google Play Services activation in order to exploit the victim’s accessibility services. This option has been implemented for disabled people to make their phone usage experience more convenient.
While this method has previously been used by typical data theft Trojans, this is the first instance where cybercriminals use this technique to demand ransomware.
After gaining permission from Google Play, DoubleLocker immediately starts exploiting other permissions by gaining access to Windows content which enables advanced online accessibility which in turn allows for the installation of code. After permission has been granted, the ransomware is installed in the default Home app. When a user revisits the Home screen after the installation they will find the ransom note on the home screen.
ESET malware researcher, Lukáš Štefanko confirmed that the Home app ransom note in order to enhance the persistence of the malware. The malware poses as the Home app launcher, the software responsible for the appearance of the device. In addition, this app can create shortcuts. Hackers compromise this software to lock the device.
DoubleLocker can then encrypt the data on the device using the AES encryption algorithm via the .cryeye extension. This encryption is particularly efficient and can only be deactivated with the decryption key.
In addition to encryption, the device’s pin is also changed to an automated random number which the hackers themselves do not store. Essentially this renders the recovering of the device completely impossible. The PIN gets reset after the requested ransom has been paid. The hackers generally give victims 24 hours to pay a ransom.
The ransom figure is comparatively low compared to other ransom prices. Currently, hackers ask for 0.0130 bitcoins (the equivalent of $73). Some experts have stated the hackers set the price that low to encourage payment.
If victims refuse to pay the ransom, they have the option of running a factory reset. The reset will full reformat the device which will delete all data that is not backed up. While this is technically an option, most users won’t be able to get past the PIN reset to run a factory reset.
Researchers have issued warnings to users to avoid downloading or installing apps and software from third-party websites and to only download software from reliable and authentic sources to avoid falling victim to DoubleLocker.