Security researchers discover new Ransomware ‘DoubleLocker’ affecting Android devices
A new Android Ransomware dubbed DoubleLocker has been uncovered by Enjoy Safer Technology (ESET) researchers. The ransomware locks down the victim’s phone, encrypts all data and changes the user’s PIN, making it almost impossible for victims to retrieve data or recover access to their phone without paying a ransom.
Researchers at ESET have reported that the malicious malware poses as a fake Adobe Flash Player app downloadable via compromised websites.
The ransomware sends requests to its victims to grant accessibility permissions, which it then uses to activate administrator rights and set itself as the default home application.
ESET malware researcher Lukáš Štefanko, who discovered DoubleLocker said in a blog: “Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the Ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home.”
Additionally, DoubleLocker changes the phone user’s PIN and leaves no digital trail, making it pretty much impossible for users to recover the PIN.
Victims of the DoubleLocker are given 24 hours to pay up in Bitcoin to un-encrypt their data and gain back access to their device. ESET researchers’ blog post reports that hackers have been found to be ordering payments of 0.0130 BTC (approximately US$54).
Worryingly, on top of being a Ransomware, DoubleLocker is said to be based on a banking Trojan. According to Štefanko, the function of gathering the banking credentials of victims and wiping their accounts can be easily added.
“The additional functionality will turn this malware into what can be called ransom-banker,” warned Štefanko, who spotted a test version of such a Ransomware-banker in the wild in May.
Besides paying the ransom, the only other way victims can regain access to their device is to perform a factory reset.
For rooted devices, however, users can get past the PIN lock without having to perform a factory reset. For this to work, though, the device would need to be in the debugging mode preceding the Ransomware activation.
“DoubleLocker serves as just another reason for mobile users to have a quality security solution installed, and to back up their data on a regular basis,” said Štefanko.
- Spectre & Meltdown highlight tech industry’s disparities
- You don’t have to be a cybersecurity expert to protect your small business
- Are the latest cyber threat reports an ignorable sales pitch?
- How US$1000 (or nothing) buys malware access to your network
- Mysterious 鬼 (“devil”) malware’s motives unknown