Security researchers uncover new ransomware affecting Android devices

Researchers at Eset have discovered an innovative Android malware which they have dubbed DoubleLocker, that is based on the foundations of a pre-documented banking Trojan. Rather than harvesting banking credentials from users and ransacking accounts, it uses two tools for extortion purposes.

Firstly, it can change the device’s PIN thus preventing the users to access their devices, and in a second blow it can also encrypt the device the data it finds in it – an unprecedented combination within the Android ecosystem. It appears as a fake Adobe Flash window and asks for activation of ‘Google Play Services’ via accessibility services created to help people with disabilities use their phone.

Lukáš Štefanko, the ESET malware researcher who discovered DoubleLocker said: “Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom. Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017.”

Criminals exploiting Android accessibility

The misuse of Android accessibility services is nothing new among cyber-criminals, but the combination of PIN change and data encryption is an unprecedented development.

The new PIN is set to a random value which is neither stored nor sent by attackers, so it’s impossible to be recovered by security experts. Once the ransom is paid, the attacker can remotely enter the randomised PIN.

The encryption method used by DoubleLocker is the AES encryption algorithm, appending the extension “.cryeye”. The ransom at present has been set at approximately $ 54 and must be paid within 24 hours.

In the ransom note, the user is warned against removing or otherwise blocking DoubleLocker, but this advice has been dismissed by Eset as irrelevant if you have a good security solution on your device.

The only viable option if affected is a factory reset, but rooted devices can get past the PIN lock without a factory reset using a more complex method. There is no way to recover the data stored on the device – all the more reason to install a good security solution and back up your data on a regular basis.

A new level of ransomware for Android phones. Image: Shutterstock/P3ak

The post Security researchers uncover new ransomware affecting Android devices appeared first on Silicon Republic.

Silicon RepublicSilicon Republic