This nasty new Android ransomware encrypts your phone -- and changes your PIN

DoubleLocker ransomware deploys technique previously used by trojans to gain full control of the device and completely lock it down.
Written by Danny Palmer, Senior Writer

A new form of Android ransomware encrypts victims' data and changes their PIN, making it almost impossible to get their files back without paying a ransom.

Dubbed DoubleLocker by researchers at ESET who discovered it, the ransomware is spread as a fake Adobe Flash update via compromised websites.

Once downloaded onto the device, the fake Adobe Flash app asks for activation of 'Google Play Services' exploiting a series of permissions via accessibility services, a function designed to help people with disabilities use their phone.

These include retrieval of window content, turning on enhanced web accessibility for the purposes of installing scripts and observing typed in text. The same technique of abusing accessibility services has previously been exploited by data-stealing Android trojans, but this is the first time it has been seen in ransomware.

Once given the appropriate permissions, DoubleLocker installs the ransomware as the default Home application, meaning the next time the user visits their home screen, they're faced with a ransom note.

"Setting itself as a default home app - a launcher - is a trick that improves the malware's persistence. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn't know that they launched malware by hitting Home," says Lukáš Štefanko, malware researcher at ESET.


DoubleLocker ransomware note.

Image: ESET

DoubleLocker locks the device in two ways. First, like other forms of ransomware, it encrypts the files on the device, in this case utilizing the AES encryption algorithm with the extension "cryeye". Unfortunately for victims, the encryption is applied effectively, meaning there's currently no way of retrieving the files without the key.

Secondly, the ransomware changes the PIN of device, effectively blocking the victim from using it in any way at all. The PIN is set to a random number which the attackers don't store themselves, meaning its impossible to recover access to the device. The attackers remotely reset the PIN when the device is unlocked after the ransom is paid.

In return for unlocking the device, the attackers demand a ransom of 0.0130 Bitcoins - around $73 at the time of writing because of the high valuation of the currency.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

While this figure is low compared with other forms of ransomware, it's likely the cyber criminals behind the scheme think that victims are more likely to pay a smaller amount in order to regain access to their phone or tablet.

A deadline of 24 hours for paying the ransom is issued by the attackers, who claim "Without [the software], you will never be able to get your original files back".

For most, there's only one way to rid the device of DoubleLocker without paying the ransom - and that's via a factory reset, which will lead to all of the data which isn't backed up being lost.

There's a small chance the rooted Android phones can get past the PIN lock without being reset and that's only if the device was in debugging mode before the ransomware is installed. If this is the case, the user can remove the system file where the PIN is stored, which allows the user to manually reset the device.

The best way for Android users to avoid falling victim to ransomware or other malware is to not install applications or software from third-party sites.

However, Google's own Play Store isn't bulletproof - the official market keeps out the vast majority of malicious apps, but some still slip through the net.


Editorial standards