New Android Ransomware Gets Activated by Home Button; Encrypts Data & Changes PIN Code


Security researchers have discovered a new Android ransomware that encrypts data on the infected device and then changes its PIN number to make sure that victims are completely locked out of their devices unless they give into the demands of criminals. Dubbed aptly as DoubleLocker, this latest strain of Android ransomware is distributed through fake Adobe Flash Player downloads using malicious websites.

Misusing Android accessibility services, DoubleLocker is activated once the fake Adobe Flash Player app is launched. The app requests activation of the malware’s accessibility service, named as "Google Play Service," after which its uses these accessibility permissions to activate device administrator rights and set itself as the default Home application without user consent.

Fake COVID-19 Tracking App Found to Infect Android Phones With Ransomware

Setting itself as a launcher makes this Android ransomware more persistent, since whenever the user clicks on the Home button, the ransomware gets activated. The only way to get rid of DoubleLocker is to do a factory reset, researchers said.

If you, however, use a rooted Android device, security researchers said that you can get past the PIN lock without a factory reset. "For the method to work, the device needed to be in the debugging mode before the ransomware got activated."

If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.

This Android ransomware could be used to steal banking credentials in the future

DoubleLocker is developed on the foundations of a banking trojan. While it currently doesn't have the modules to steal users’ banking credentials, the functionality could be easily added in the future.

"Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers," Lukáš Štefanko, the ESET researcher who discovered DoubleLocker, said. "Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom."

Right now, the malware is specifically focused on extorting money from its victims by locking them out of their devices. The ransom has been set to 0.0130 BTC (approximately USD 73 at the time of this writing) with the criminals having added a message that it needs to be paid within 24 hours. ESET added that even after 24 hours, the attackers aren't wiping the data as it remains encrypted.

42 Android Phones That Bring Banking Trojan Out of the Box

While ESET has recommended users to have a strong antivirus solution on their Android devices, having "Unknown Sources" disabled should be enough to stay safe from this particular Android ransomware. Also, those users who even glance at the permissions an app is asking for should be okay since it's basically telling you that it will change your password and erase your data.