Android ransomware DoubleLocker encrypts data and changes PINs

Share

This particular ransomware strain has connections to the infamous Svpeng Android banking trojan, one of the oldest and most "innovative" Android malware strains. While it now doesn't have the modules to steal users' banking credentials, the functionality could be easily added in the future. The ransomware can totally lock down the victim's phone, encrypting all data and changing the infected phone's PIN. "Thanks to using the accessibility service, the user doesn't know that they launched malware by hitting Home", says Lukáš Štefanko, malware researcher at ESET. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom...

Dubbed DoubleLocker by researchers at ESET who discovered it, the ransomware is spread as a fake Adobe Flash update via compromised websites.

Once downloaded onto the device, the fake Adobe Flash app asks for activation of "Google Play Services" exploiting a series of permissions via accessibility services, a function created to help people with disabilities use their phone. The ransomware requests the victim to grant accessibility permissions which it uses to activate the device administrator rights and set itself as the default home application. The ransomware achieves this by setting itself as the default app launcher on the device. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again.

DoubleLocker uses this trick as a persistence mechanism, to ensure users can't bypass the lock screen.

Once DoubleLocker changes a victim's PIN code, it's impossible to gain access to the device - the number is a random selection of digits that aren't saved anywhere. However, the new virus is not interested in financial information on the device and encrypts the data and can change the PIN code of the smartphone or tablet. The changed PIN is almost impossible for either the victim or security experts to retrieve as the hackers operating DoubleLocker neither store the altered PIN nor send it out. The hackers can remotely reset the PIN when you pay the ransom.

Second, DoubleLocker encrypts all files from the device's primary storage directory. "It utilizes the AES encryption algorithm, appending the filename extension ".cryeye".

Users with DoubleLocker-infected devices have 24 hours to pay 0.0130 Bitcoin (about $73.38 at the time of this writing) to un-encrypt their data.

A deadline of 24 hours for paying the ransom is issued by the attackers, who claim "Without [the software], you will never be able to get your original files back". To prevent unwanted removal of the "software", the crooks even recommend disabling the user's antivirus software.

For devices that are not rooted and that don't have a mobile device management solution installed capable of resetting the PIN, the only way to remove the PIN lock screen is via a factory reset. If this is the case, the user can remove the system file where the PIN is stored, which allows the user to manually reset the device. For this to work, the device needs to have debugging enabled (Settings - Developer options - USB Debugging).

The DoubleLocker hack is a threat to any Android device; it's particularly worrying since it doesn't require a "rooted" phone that gives extra access for the hacker to run its own code, but the effect is severe - locking the user completely out of their own device.

Share

Advertisement

Related Posts

Home Depot, Inc. (The) (HD) Shares Sold by Nicolet Bankshares Inc
They expect $0.17 EPS, down 63.83% or $0.30 from last year's $0.47 per share. 198,452 were accumulated by Lyon Street Capital. Veritable Lp increased its stake in Home Depot Inc (HD) by 10.49% based on its latest 2017Q2 regulatory filing with the SEC.

Wells Fargo 3Q delivers an unwelcome surprise for investors
It increased, as 85 investors sold WFC shares while 685 reduced holdings. 110 funds opened positions while 566 raised stakes. The business had revenue of $21.93 billion during the quarter, compared to the consensus estimate of $22.30 billion.

James to miss final preseason game
James is undergoing treatment on his ankle, and that will likely remain the case in the days leading up to the opener. He went undrafted in 2017 and played three games for the Indiana Pacers' summer league team, averaging 5.3 points.

Analysts See $0.09 EPS for Sonus Networks, Inc. (SONS)
Also Prnewswire.com published the news titled: " Sonus Networks to Hold Investor Call on October 30, 2017" on October 10, 2017. Zacks Investment Research cut shares of Sonus Networks from a "buy" rating to a "hold" rating in a research report on Tuesday.

Today Analysts Focus on Zosano Pharma Corporation (ZSAN), PG&E Corporation (PCG)
Currently, the Earnings to Price (Yield) is -86.99%, Earnings Yield is -86.98%, and Earnings Yield 5 year average is. Volume gives an investor an idea of the price action of a security and whether he should buy or sell the security.

Trading Corner: Focusing in on the Signals for Htg Molecular Dia (HTGM)
Currently, the stock carries a price to earnings ratio of 0, a price to book ratio of 0, and a price to sales ratio of 8.95. The most optimistic analyst sees the stock reaching $5 while the most conventional predicts the target price at $3.5.

Mascherano admits Barcelona future now undecided
I will try to fight for my place and to be ready when I'm called upon", he told ESPN. Mascherano has been a key player for Barcelona ever since 2010.

George Weah leads Boakai in race for Liberia presidency
One of the largest political parties called for a halt to vote-counting Thursday, alleging voting irregularities and fraud. The Liberty Party's candidate is Brumskine, a corporate lawyer who placed third in 2005 elections and fourth in 2011.

2 things to do about gun deaths
After leaving his seat in Fort Wayne, he became the president and CEO of the Brady Center/Brady Campaign to Prevent Gun Violence. Repeal guns on campus and other laws that send the unsafe message that a little collateral damage is acceptable.

WI included in ICC Test league
The ODI league, set to begin in 2020 will feature 12 Test-playing nations plus the victor of the ICC Cricket League Championship. After years of open discussions, heated debates and endless speculation we are finally here; the next evolution of cricket.

© 2015 ExpressNewsline. All Rights reserved.