Android ransomware DoubleLocker encrypts data and changes PINs

Share

This particular ransomware strain has connections to the infamous Svpeng Android banking trojan, one of the oldest and most "innovative" Android malware strains. While it now doesn't have the modules to steal users' banking credentials, the functionality could be easily added in the future. The ransomware can totally lock down the victim's phone, encrypting all data and changing the infected phone's PIN. "Thanks to using the accessibility service, the user doesn't know that they launched malware by hitting Home", says Lukáš Štefanko, malware researcher at ESET. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom...

Dubbed DoubleLocker by researchers at ESET who discovered it, the ransomware is spread as a fake Adobe Flash update via compromised websites.

Once downloaded onto the device, the fake Adobe Flash app asks for activation of "Google Play Services" exploiting a series of permissions via accessibility services, a function created to help people with disabilities use their phone. The ransomware requests the victim to grant accessibility permissions which it uses to activate the device administrator rights and set itself as the default home application. The ransomware achieves this by setting itself as the default app launcher on the device. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again.

DoubleLocker uses this trick as a persistence mechanism, to ensure users can't bypass the lock screen.

Once DoubleLocker changes a victim's PIN code, it's impossible to gain access to the device - the number is a random selection of digits that aren't saved anywhere. However, the new virus is not interested in financial information on the device and encrypts the data and can change the PIN code of the smartphone or tablet. The changed PIN is almost impossible for either the victim or security experts to retrieve as the hackers operating DoubleLocker neither store the altered PIN nor send it out. The hackers can remotely reset the PIN when you pay the ransom.

Second, DoubleLocker encrypts all files from the device's primary storage directory. "It utilizes the AES encryption algorithm, appending the filename extension ".cryeye".

Users with DoubleLocker-infected devices have 24 hours to pay 0.0130 Bitcoin (about $73.38 at the time of this writing) to un-encrypt their data.

A deadline of 24 hours for paying the ransom is issued by the attackers, who claim "Without [the software], you will never be able to get your original files back". To prevent unwanted removal of the "software", the crooks even recommend disabling the user's antivirus software.

For devices that are not rooted and that don't have a mobile device management solution installed capable of resetting the PIN, the only way to remove the PIN lock screen is via a factory reset. If this is the case, the user can remove the system file where the PIN is stored, which allows the user to manually reset the device. For this to work, the device needs to have debugging enabled (Settings - Developer options - USB Debugging).

The DoubleLocker hack is a threat to any Android device; it's particularly worrying since it doesn't require a "rooted" phone that gives extra access for the hacker to run its own code, but the effect is severe - locking the user completely out of their own device.

Share

Advertisement

Related Posts

Colombia crush USA , both qualify
With three minutes until full-time, Penaloza was again at the center of things providing the assist to Colombia's third goal. Columbia had another chance in the 60th minute but Andres Perea's shot from outside the box was saved well by US goalkeeper.

Analyst Buzz: Skechers USA, Inc. (SKX)
Investors look at the Volatility 12m to determine if a company has a low volatility percentage or not over the course of a year. Inside the closing six months period the stock's performance declined -1.27% while overall yearly performance gained 9.96%.

ContraVir Pharmaceuticals, Inc. (NASDAQ:CTRV) Undervalued by 1.2%
CTRV is now undervalued by -85.8% relative to the average 1-year price target of $5.00 taken from a group of Wall Street Analysts. Of course, these surface-level price movements don't tell us much about the direction that CTRV may be headed in the future.

Analyst Opinion Summary: Ameris Bancorp (ABCB), Navios Maritime Acquisition Corporation (NNA)
On average, equities analysts forecast that Navios Maritime Holdings will post ($0.94) earnings per share for the current year. The shipping company reported $0.03 EPS for the quarter, beating the Thomson Reuters' consensus estimate of $0.01 by $0.02.

Barack and Michelle Obama's portraits commissioned by the National Portrait Gallery
He has occasionally discussed the positive impact Barack Obama's presidency had on artists creating images of non-white sitters. The Obamas may no longer be in the White House, but their official portraits are soon to live there forever.

WI included in ICC Test league
The ODI league, set to begin in 2020 will feature 12 Test-playing nations plus the victor of the ICC Cricket League Championship. After years of open discussions, heated debates and endless speculation we are finally here; the next evolution of cricket.

Wells Fargo 3Q delivers an unwelcome surprise for investors
It increased, as 85 investors sold WFC shares while 685 reduced holdings. 110 funds opened positions while 566 raised stakes. The business had revenue of $21.93 billion during the quarter, compared to the consensus estimate of $22.30 billion.

Big Blue Madness scheduled for 7 pm tonight at Rupp Arena
Both women's and men's teams walked the blue carpet. "I'm excited about that and, of course, we're going to win the championship". Drake said has has turned down invitations to attend similar events in the past. "OK, I want you to remember what you just said".

Trading Corner: Focusing in on the Signals for Htg Molecular Dia (HTGM)
Currently, the stock carries a price to earnings ratio of 0, a price to book ratio of 0, and a price to sales ratio of 8.95. The most optimistic analyst sees the stock reaching $5 while the most conventional predicts the target price at $3.5.

JPMorgan CEO Dimon Violates His Bitcoin Vow After Just One Day
In a conference call with analysts, Jamie Dimon said he would no longer comment on bitcoin. The CEO said he could care less about what bitcoin trades at.

© 2015 ExpressNewsline. All Rights reserved.