DoubleLocker, new Android ransomware activates every time when user press the home button

DoubleLocker, new Android ransomware activates

DoubleLocker, new Android ransomware

DoubleLocker, a new ransomware targeting Android devices. The ransomware abuses Android’s Accessibility service and reactivates itself every time the user presses the phone’s Home button.

ESET researcher Lukas Stefanko, who analyzed DoubleLocker, says the new ransomware based on code taken from the Svpeng banking trojan. The code needed to lock devices and encrypt files.

An infection can usually happen when the user installs a malicious Flash Player app on his device. The app asks for access to the Accessibility service.

If the user grants the app this access, the Accessibility service allows the malicious app to mimic user taps. The app abuses this feature to access the Android settings and grant it admin rights.

After this, DoubleLocker initiates its malicious behavior, by locking the user’s PIN with a random PIN code and encrypting all the files on the device’s primary storage medium with the AES encryption algorithm.

Currently, DoubleLocker is one of the very few Android ransomware strains that encrypts files. Most Android ransomware just locks the user’s screen.

reactivates itself

Another strange behavior in the ransomware is that it reactivates itself every time the user presses the Home button. The ransomware achieves this by setting it as the default app launcher on the device.

DoubleLocker uses this trick as an application, to ensure users can’t bypass the lock screen. If user bypasses the lock screen through pressing the Home button to restart the ransomware.

The ransomware doesn’t send the device’s PIN code or encryption key to its authors, but researchers say that after the ransom paid, the attacker can remotely reset the PIN and unlock the device.

The only possible option to clean the device of the DoubleLocker ransomware via a factory reset. For rooted devices, there is a method to get past the PIN lock without a factory reset. For the method to work, the device needs to debugging mode before the ransomware got activated.

If this condition met, then the user can connect to the device by ADB and remove the system file where the PIN stored. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases device reboot needs.

More information: [ESET]