Detected by computer security company ESET, 'Android / DoubleLocker. An 'is based on the basics of a regular banking Trojan that uses the accessibility services of the Android system. However, DoubleLocker collects the users' bank credentials or removes their accounts, but it is responsible for extorting them through two powerful tools.
DoubleLocker can change the PIN of the device, preventing the user from having access to it, in addition to encrypting the data it finds. This combination of actions previously had not been seen in the Android ecosystem. Because it is influenced by bank malware, DoubleLocker consists of two stages:
- Extract the funds from your bank account or PayPal.
- Lock your device and your data to request a rescue.
- Lukas Stefanko, an ESET malware researcher, was responsible for detecting DoubleLocker and claims that it has been tested since May 2017.
How do you distribute DoubleLocker?
The distribution of DoubleLocker is given in the same way as your bank matrix. It is distributed primarily as a fake Adobe Flash player through compromised websites. Once launched, the app requests the activation of the malware accessibility service, called "Google Play Services."
Once the malware gets accessibility permissions, it uses them to activate the administrator rights of the device and configure itself as the default Home application, in both cases without the consent of the user. Stefanko further explains:
"Setting up as a default app is a trick that improves the persistence of DoubleLocker. Each time the user clicks the start button, the ransomware is activated, and the device is locked again. Thanks to the use of the accessibility service, the user does not know that activating Home activates the malware ".
Lock the device and its data
Once effected on the device, DoubleLocker creates two reasons for the victims to pay. First, change the device PIN. The new PIN is set to a random value that the hackers do not store or send to any place. So it is impossible for the user or a security expert to recover it. After paying the ransom, the hacker can remotely reset the PIN and unlock the device.
Second, DoubleLocker encrypts all files in the device's main storage directory. It uses the AES encryption algorithm, adding the extension cyeye. Encryption is implemented correctly, which means that there is no way to recover files without receiving the encryption key from hackers.
The bailout has been set at 0.0130 BTC (approximately US $ 54). And the message says it must be paid within 24 hours. However, if the redemption is not paid, the data will remain encrypted and will not be erased.
How do I protect myself from the attack of DoubleLocker?
The only viable option described by Stefanko is through a factory reset of the device. However, for connected devices, there is a way to overcome the PIN block without restarting the factory equipment. For the method to work, the invention must go in debug mode before ransomware gets active.
If this condition is met, the user can connect to the device via ADB and delete the system file where Android stores the PIN. This operation unlocks the screen so that the user can enter the device. Then, working in safe mode, the user can disable the device administrator rights to the malware and uninstall it. In some cases, the device needs to be restarted.