Security researchers from Slovakia-based security software maker ESET have discovered the newest Android ransomware which doesn’t just encrypts users’ data, but also locks them out of their devices by changing lock screen PIN till you pay a ransome.
Ransomeware is a form of attack targeted at PCs and sometimes, hand held devices, when a Pc or smartphone is hit by a ransomeware attack, files on such devices will be encrypted and inaccessible, the attacker then demands a ransome to be paid by the device owner in order for the files to be decrypted and access would be regained to user’s files, during these period of encryption, the user is completely locked out of such device as the only thing accessible to the victim would be details on how to pay the ransome in order to get the device decrypted.
However, prior to this time, ransomware attacks used to be infamous with Android smartphones although we have had cases of it in the past but they never really weighed much.
But now, we have DoubleLocker, the first-ever ransomware to misuse Android accessibility—a feature that provides users alternative ways to interact with their smartphone devices, and mainly misused by Android banking Trojans to steal banking credentials.
“Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers,” said Lukáš Štefanko, the malware researcher at ESET.
“Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom.”
Researchers believe DoubleLocker ransomware could be upgraded in future to steal banking credentials as well, other than just extorting money as ransom. This DoubleLocker ransomeware was first discovered in May, 2017.
Here’s How the DoubleLocker Ransomware Works:
Once the victim mistakenly installs the DoubleLocker ransomware which is often cloned as fake Adobe Flash update via compromised websites, the DoubleLocker ransomeware then requests user for the activation of ‘Google Play Services’ accessibility feature.
When this accessibility permission is granted, the malware quickly utilizes the opportunity to gain device’s administrator rights then sets itself as a default home application “the launcher” without the user’s knowledge.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence,” explains Štefanko.
“Whenever the user clicks on the home button, the ransomware gets activated, and the device gets locked again.
Once executed, DoubleLocker will change the device PIN and also encrypts all the files using AES encryption algorithm.
What this means is that, anytime you click the home button, the DoubleLocker ransomeware is activated.
DoubleLocker then demands a ransomware of 0.0130 BTC (USD 74.38) and threatens victims to pay the ransom within 24 hours.
Once ransome is paid, the attacked provides the decryption key and resets the pin to unlock the victim’s device as well.
Although, researchers believe there is no way to unlock encrypted files on non-rooted devices but definitely, such devices can be factory reset in order to unlock them and also get rid of the DoubleLocker ransomeware.
For rooted Android devices, enable debugging mode, then use Android Debug Bridge (ADB) tool to reset PIN without formatting the device.
On the issue of protection, the best way users can protect themselves from falling victims to this ransomware attacks is to always download apps from Google PlayStore and from verified developers.
Also, never click on links provided in SMS or emails. Even if the email looks legit, go directly to the website of origin and verify any possible update.
Moreover, most importantly, keep a good antivirus app on your smartphone that can detect and block such malware before it can infect your device, and always keep it and other apps up-to-date.