DoubleLocker: Android ransomware changes the smartphone’s PIN
Android devices are spreading new malware, potentially blocking the device by accessing accessibility services.
Ransomware has been discovered by researchers at ESET as Android / DoubleLocker and although it is not programmed to steal banking credentials, it is based on the project of the banking trojan Android.BankBot.211.origin .
No risk for our money, then, but malware can encrypt data and, above all, change the PIN of our phone by preventing it from accessing it.
“Considering its kind of banking malware, DoubleLocker could easily become what we can call a ransom-banker,” explains Lukáš Štefanko of ESET. “A two-step malware that first attempts to clear your bank account or PayPal account and then locks your device and your data to request a redemption … Separate specs, as early as May 2017, we identified a wild test version in the wild of a ransom-banker.”
DoubleLocker can be downloaded as a fake Adobe Flash Player: malware asks for accessibility permissions to get admin rights by setting it as default Home app. Thus, whenever the ignorant user clicks the Home button, ransomware will be activated by locking the device.
The new PIN can not be retrieved by the user in any way, except after payment of a redemption of 0,0130 bitcoins, equivalent to approximately $ 54 (subject to within 24 hours of the request!). DoubleLocker then encodes the root directory files using the AES encryption algorithm, adding the .cryeye extension.
“Without [the software], you will no longer be able to retrieve your original files,” it specifies the note of the redemption if the user attempts to remove the ransomware.
How to remove malware? ESET recommends non-rooted smartphone owners who have a solution that resets PIN to restore factory settings. If your device is rooted, you can connect to the smartphone via ADB and remove the file where the PIN is saved. Obviously, you must have USB debug mode enabled.
Finally, you will need to remove the administrator rights to the malware and then uninstall it.