Android ransomware DoubleLocker encrypts data and changes PINs

Share
Android ransomware DoubleLocker encrypts data and changes PINs

This particular ransomware strain has connections to the infamous Svpeng Android banking trojan, one of the oldest and most "innovative" Android malware strains. While it now doesn't have the modules to steal users' banking credentials, the functionality could be easily added in the future. The ransomware can totally lock down the victim's phone, encrypting all data and changing the infected phone's PIN. "Thanks to using the accessibility service, the user doesn't know that they launched malware by hitting Home", says Lukáš Štefanko, malware researcher at ESET. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom...

Dubbed DoubleLocker by researchers at ESET who discovered it, the ransomware is spread as a fake Adobe Flash update via compromised websites.

Once downloaded onto the device, the fake Adobe Flash app asks for activation of "Google Play Services" exploiting a series of permissions via accessibility services, a function created to help people with disabilities use their phone. The ransomware requests the victim to grant accessibility permissions which it uses to activate the device administrator rights and set itself as the default home application. The ransomware achieves this by setting itself as the default app launcher on the device. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again.

DoubleLocker uses this trick as a persistence mechanism, to ensure users can't bypass the lock screen.

Once DoubleLocker changes a victim's PIN code, it's impossible to gain access to the device - the number is a random selection of digits that aren't saved anywhere. However, the new virus is not interested in financial information on the device and encrypts the data and can change the PIN code of the smartphone or tablet. The changed PIN is almost impossible for either the victim or security experts to retrieve as the hackers operating DoubleLocker neither store the altered PIN nor send it out. The hackers can remotely reset the PIN when you pay the ransom.

Second, DoubleLocker encrypts all files from the device's primary storage directory. "It utilizes the AES encryption algorithm, appending the filename extension ".cryeye".

Users with DoubleLocker-infected devices have 24 hours to pay 0.0130 Bitcoin (about $73.38 at the time of this writing) to un-encrypt their data.

A deadline of 24 hours for paying the ransom is issued by the attackers, who claim "Without [the software], you will never be able to get your original files back". To prevent unwanted removal of the "software", the crooks even recommend disabling the user's antivirus software.

For devices that are not rooted and that don't have a mobile device management solution installed capable of resetting the PIN, the only way to remove the PIN lock screen is via a factory reset. If this is the case, the user can remove the system file where the PIN is stored, which allows the user to manually reset the device. For this to work, the device needs to have debugging enabled (Settings - Developer options - USB Debugging).

The DoubleLocker hack is a threat to any Android device; it's particularly worrying since it doesn't require a "rooted" phone that gives extra access for the hacker to run its own code, but the effect is severe - locking the user completely out of their own device.

Share

Advertisement

Related Posts

Home Depot, Inc. (The) (HD) Shares Sold by Nicolet Bankshares Inc
They expect $0.17 EPS, down 63.83% or $0.30 from last year's $0.47 per share. 198,452 were accumulated by Lyon Street Capital. Veritable Lp increased its stake in Home Depot Inc (HD) by 10.49% based on its latest 2017Q2 regulatory filing with the SEC.

North Korea may have destabilized nuclear testing grounds, experts say
The fate of the thousands of North Korean laborers already in the UAE remains up in the air. Kuwait and Qatar have taken similar steps in recent weeks.

Barack and Michelle Obama's portraits commissioned by the National Portrait Gallery
He has occasionally discussed the positive impact Barack Obama's presidency had on artists creating images of non-white sitters. The Obamas may no longer be in the White House, but their official portraits are soon to live there forever.

Analyst's Take on Crescent Pt Energy (CPG) and Akari Therapeutics (AKTX)
Finally, Alliancebernstein L.P. boosted its stake in shares of Crescent Point Energy Corporation by 59.7% in the first quarter. Desjardins lowered Crescent Point Energy Corporation from a "buy" rating to a "hold" rating in a report on Wednesday.

The Priceline Group Inc. (PCLN) Given Buy Rating at Barclays PLC
About 49,847 shares traded. $223,610 worth of Priceline Group Inc (NASDAQ:PCLN) was sold by Tans Gillian on Monday, May 15. Capstone Asset Mgmt Communication holds 0.24% of its portfolio in Priceline Group Inc (NASDAQ:PCLN) for 4,535 shares.

Hospital operators, insurer stocks slide after Trump ends ACA subsidies
Colorado's Division of Insurance was prepared for this move by the White House and is putting its "plan B" into place. Kreidler said for months, consumers and insurers have lived with the threat of the end to cost-sharing reductions.

Colombia crush USA , both qualify
With three minutes until full-time, Penaloza was again at the center of things providing the assist to Colombia's third goal. Columbia had another chance in the 60th minute but Andres Perea's shot from outside the box was saved well by US goalkeeper.

Are Analysts Bullish about AMETEK, Inc
With 759,400 avg volume, 4 days are for Ametek Incorporated New (NYSE:AME)'s short sellers to cover AME's short positions. Barclays Public Limited Liability Co has invested 0% of its portfolio in StarTek, Inc. (NYSE:AME) on Thursday, May 4.

Two more join growing list of Harvey Weinstein accusers
I knew it because I could see it in his eyes. "After singing I said again that I had to leave". He's big and fat, so I had to be forceful to resist him.

Mascherano admits Barcelona future now undecided
I will try to fight for my place and to be ready when I'm called upon", he told ESPN. Mascherano has been a key player for Barcelona ever since 2010.

© 2015 ExpressNewsline. All Rights reserved.