Security researchers are warning of a new breed of Android ransomware designed to both encrypt data on a victim’s device and lock them out by changing the PIN code.
DoubleLocker is based on code from banking trojan Android.BankBot.211.origin which forces users to grant it access to the smartphone’s accessibility service.
Once launched, typically from a fake Adobe Flash Player app on compromised website, it will try to obtain accessibility permissions.
It will then use these to activate device admin rights and set itself up as the home application on the phone.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence,” explained Eset malware researcher, Lukáš Štefanko. “Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home.”
True to its name, the ransomware uses two techniques to force its victims to pay up.
First, it changes the device PIN to a new credential which isn’t stored on the phone or sent anywhere. The PIN is only reset by the attacker following payment of the ransom.
Second, it encrypts all files from the device’s primary storage directory, using the AES algorithm and the “.cryeye” extension. There’s no way to recover the files without the encryption key, according to Štefanko.
The ransom to be paid within the 24-hour deadline is just 0.0130 BTC ($54).
For those not wanting to pay up, the only option for affected users is to start a factory reset, cleaning the device of ransomware, although all data will also be lost.
There’s another workaround for rooted devices, but still no way to recover the encrypted data.
Interestingly, although DoubleLocker doesn’t contain any functionality related to harvesting banking credentials, it could be turned into a so-called “ransom-banker”, according to Štefanko.
“[This is] two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom,” he explained. “Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May 2017.”