Ransomware is becoming an issue not only for those using computers, but for Android users as well. While most Android ransomware does not actually encrypt any files, they just lock the screen, there are a few that do. A new ransomware, DoubleLocker, has been spotted by ESET researchers, and it not only encrypts your files but also changes your device’s PIN, which essentially locks you out of your device. DoubleLocker Android ransomware locks your screen and encrypts your data“DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data it finds in them – a combination that has not been seen previously in the Android ecosystem,” the ESET report explains.

The Android malware spreads via a malicious Adobe Flash update. It gains administrator rights, sets itself as the default Home application, encrypts your files, and changes your PIN so you cannot access the device. It seems to be connected to the notorious Svpeng Android banking Trojan, as it is based on the same code.

Android ransomware locks your screen and encrypts your data

The Svpeng banking Trojan is one of the first Android malware that was able to steal money from bank accounts via SMS-based account managing services, fake login screens so that users are fooled into giving away their credentials, and add ransomware features. DoubleLocker uses the same code as Svpeng to lock the device and encrypt files, but unlike Svpeng, it does not include the code to steal bank related information.

DoubleLocker spreads via fake Adobe Flash Player update

Just like a lot of malware, both computer and Android, this one spreads via bogus Adobe Flash updates. Infection is quite easy, you visit a questionable website, it requests that you update your Adobe Flash Player in order to view the contents, and once you download the malicious update, the ransomware is inside.

“Once launched, the app requests activation of the malware’s accessibility service, named “Google Play Service”. After the malware obtains the accessibility permissions, it uses them to activate device administrator rights and set itself as the default Home application, in both cases without the user’s consent,” ESET’s Lukáš Štefanko explains.

Reactivates every time the user presses the Home button

Once it gains all the necessary administrator rights, it encrypts your data and locks your screen. Instead of the usual background, you will see a ransom note. Unlike a lot of other Android malware, DoubleLocker does encrypt your files, which means there is little chance you will get them back. It adds the .cryeye extension to all affected files.

“The encryption is implemented properly, which means that, unfortunately, there is no way to recover the files without receiving the encryption key from the attackers,” Štefanko explains.

When the malware locks your device, it changes the PIN but does not store it anywhere, so the criminals do not have it, and researchers cannot recover it. When the ransom is paid, the hackers can remotely reset the PIN, unlocking your device.

Researchers also note that the ransomware launches when the user hits the Home button. Every time the Home button is pressed, the ransomware activates, which means even if the user manages to bypass the lock, if they press the Home button, the screen would be locked again.

Factory reset needed in order to get rid of DoubleLocker

In order to unlock the device, the users are asked to pay 0.0130 Bitcoin, which is around $70. Unfortunately, there is no way to recover data, unless you have backed up everything prior to infection. And in order to get rid of DoubleLocker, users need to perform a full factory reset.

“For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work, the device needed to be in the debugging mode before the ransomware got activated. If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed,” ESET explains.

Leave a Reply