Android ransomware DoubleLocker encrypts data and changes PINs

Share

This particular ransomware strain has connections to the infamous Svpeng Android banking trojan, one of the oldest and most "innovative" Android malware strains. While it now doesn't have the modules to steal users' banking credentials, the functionality could be easily added in the future. The ransomware can totally lock down the victim's phone, encrypting all data and changing the infected phone's PIN. "Thanks to using the accessibility service, the user doesn't know that they launched malware by hitting Home", says Lukáš Štefanko, malware researcher at ESET. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom...

Dubbed DoubleLocker by researchers at ESET who discovered it, the ransomware is spread as a fake Adobe Flash update via compromised websites.

Once downloaded onto the device, the fake Adobe Flash app asks for activation of "Google Play Services" exploiting a series of permissions via accessibility services, a function created to help people with disabilities use their phone. The ransomware requests the victim to grant accessibility permissions which it uses to activate the device administrator rights and set itself as the default home application. The ransomware achieves this by setting itself as the default app launcher on the device. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again.

DoubleLocker uses this trick as a persistence mechanism, to ensure users can't bypass the lock screen.

Once DoubleLocker changes a victim's PIN code, it's impossible to gain access to the device - the number is a random selection of digits that aren't saved anywhere. However, the new virus is not interested in financial information on the device and encrypts the data and can change the PIN code of the smartphone or tablet. The changed PIN is almost impossible for either the victim or security experts to retrieve as the hackers operating DoubleLocker neither store the altered PIN nor send it out. The hackers can remotely reset the PIN when you pay the ransom.

Second, DoubleLocker encrypts all files from the device's primary storage directory. "It utilizes the AES encryption algorithm, appending the filename extension ".cryeye".

Users with DoubleLocker-infected devices have 24 hours to pay 0.0130 Bitcoin (about $73.38 at the time of this writing) to un-encrypt their data.

A deadline of 24 hours for paying the ransom is issued by the attackers, who claim "Without [the software], you will never be able to get your original files back". To prevent unwanted removal of the "software", the crooks even recommend disabling the user's antivirus software.

For devices that are not rooted and that don't have a mobile device management solution installed capable of resetting the PIN, the only way to remove the PIN lock screen is via a factory reset. If this is the case, the user can remove the system file where the PIN is stored, which allows the user to manually reset the device. For this to work, the device needs to have debugging enabled (Settings - Developer options - USB Debugging).

The DoubleLocker hack is a threat to any Android device; it's particularly worrying since it doesn't require a "rooted" phone that gives extra access for the hacker to run its own code, but the effect is severe - locking the user completely out of their own device.

Share

Advertisement

Related Posts

Liverpool must 'keep moving forward' without Mane - Salah
And Merson believes Liverpool's hopes of winning Saturday's clash are massively dented by Mane's injury. Jurgen Klopp does have a strong record against Mourinho.

Wells Fargo 3Q delivers an unwelcome surprise for investors
It increased, as 85 investors sold WFC shares while 685 reduced holdings. 110 funds opened positions while 566 raised stakes. The business had revenue of $21.93 billion during the quarter, compared to the consensus estimate of $22.30 billion.

Home Depot, Inc. (The) (HD) Shares Sold by Nicolet Bankshares Inc
They expect $0.17 EPS, down 63.83% or $0.30 from last year's $0.47 per share. 198,452 were accumulated by Lyon Street Capital. Veritable Lp increased its stake in Home Depot Inc (HD) by 10.49% based on its latest 2017Q2 regulatory filing with the SEC.

Colombia crush USA , both qualify
With three minutes until full-time, Penaloza was again at the center of things providing the assist to Colombia's third goal. Columbia had another chance in the 60th minute but Andres Perea's shot from outside the box was saved well by US goalkeeper.

George Weah leads Boakai in race for Liberia presidency
One of the largest political parties called for a halt to vote-counting Thursday, alleging voting irregularities and fraud. The Liberty Party's candidate is Brumskine, a corporate lawyer who placed third in 2005 elections and fourth in 2011.

Analyst Buzz: Skechers USA, Inc. (SKX)
Investors look at the Volatility 12m to determine if a company has a low volatility percentage or not over the course of a year. Inside the closing six months period the stock's performance declined -1.27% while overall yearly performance gained 9.96%.

WI included in ICC Test league
The ODI league, set to begin in 2020 will feature 12 Test-playing nations plus the victor of the ICC Cricket League Championship. After years of open discussions, heated debates and endless speculation we are finally here; the next evolution of cricket.

Hospital operators, insurer stocks slide after Trump ends ACA subsidies
Colorado's Division of Insurance was prepared for this move by the White House and is putting its "plan B" into place. Kreidler said for months, consumers and insurers have lived with the threat of the end to cost-sharing reductions.

Barack and Michelle Obama's portraits commissioned by the National Portrait Gallery
He has occasionally discussed the positive impact Barack Obama's presidency had on artists creating images of non-white sitters. The Obamas may no longer be in the White House, but their official portraits are soon to live there forever.

Trading Corner: Focusing in on the Signals for Htg Molecular Dia (HTGM)
Currently, the stock carries a price to earnings ratio of 0, a price to book ratio of 0, and a price to sales ratio of 8.95. The most optimistic analyst sees the stock reaching $5 while the most conventional predicts the target price at $3.5.

© 2015 ExpressNewsline. All Rights reserved.