This nasty new Android ransomware encrypts your phone – and changes your PIN

DoubleLocker ransomware doubles down on locking your Android phone.
Image: iStock
A new form of Android ransomware encrypts victims’ data and changes their PIN, making it almost impossible to get their files back without paying a ransom.
Dubbed DoubleLocker by researchers at ESET who discovered it, the ransomware is spread as a fake Adobe Flash update via compromised websites.
Once downloaded onto the device, the fake Adobe Flash app asks for activation of ‘Google Play Services’ exploiting a series of permissions via accessibility services, a function designed to help people with disabilities use their phone.
These include retrieval of window content, turning on enhanced web accessibility for the purposes of installing scripts and observing typed in text. The same technique of abusing accessibility services has previously been exploited by data-stealing Android trojans, but this is the first time it has been seen in ransomware.
Once given the appropriate permissions, DoubleLocker installs the ransomware as the default Home application, meaning the next time the user visits their home screen, they’re faced with a ransom note.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launched malware by hitting Home,” says Lukáš Štefanko, malware researcher at ESET.DoubleLocker ransomware note.
Image: ESET
DoubleLocker locks the device in two ways. First, like other forms of ransomware, it encrypts the files on the device, in this case utilizing the AES encryption algorithm with the extension “cryeye”. Unfortunately for victims, the encryption is applied effectively, meaning there’s currently no way of retrieving the files without the key.

Secondly, the ransomware changes the PIN of device, effectively blocking the victim from using it in any way at all. The PIN is set to a random number which the attackers don’t store themselves, meaning its impossible to recover access to the device. The attackers remotely reset the PIN when the device is unlocked after the ransom is paid.
白城发电公司荣获2017年电力企业信息安全管理创新成果一等奖
In return for unlocking the device, the attackers demand a ransom of 0.0130 Bitcoins – around $73 at the time of writing because of the high valuation of the currency.
See also: Ransomware: An executive guide to one of the biggest menaces on the web
While this figure is low compared with other forms of ransomware, it’s likely the cyber criminals behind the scheme think that victims are more likely to pay a smaller amount in order to regain access to their phone or tablet.
A deadline of 24 hours for paying the ransom is issued by the attackers, who claim “Without [the software], you will never be able to get your original files back”.
For most, there’s only one way to rid the device of DoubleLocker without paying the ransom – and that’s via a factory reset, which will lead to all of the data which isn’t backed up being lost.
There’s a small chance the rooted Android phones can get past the PIN lock without being reset and that’s only if the device was in debugging mode before the ransomware is installed. If this is the case, the user can remove the system file where the PIN is stored, which allows the user to manually reset the device.
The best way for Android users to avoid falling victim to ransomware or other malware is to not install applications or software from third-party sites.
However, Google’s own Play Store isn’t bulletproof – the official market keeps out the vast majority of malicious apps, but some still slip through the net.
READ MORE ON CYBER CRIMECan Google win its battle with Android malware?This bank data stealing Android malware is back – and it’s now even sneakierThis is the easiest way to prevent malware on your Android device [CNET]Android malware bypassed Google Play store security, could have infected 4.2 million devices [TechRepublic]This Android ransomware threatens to expose your browsing history to all your contacts
云计算也会带来安全方面的挑战,因此我们需要评估云服务提供商的能力,以便保护数据的保密性,可用性和完整性。我们也要了解云服务提供商如何处理来自多家客户的数据,以及如何管理第三方风险。
信息安全应该独立于职业健康安全领域,但其基本管理思想也是相关的,所以可以互相监督和提供审计。

猜您喜欢

福建就做好党的十九大信息通信和网络安全保障工作进行再动员再…
保险业信息安全意识培养电子课件受欢迎
CyberSecurity Law Introduction 网络安全法宣传视频系列
还是高田气囊 奔驰在华召回35万辆车
KHSP BONDCLIFFBOOKS
网络安全公益短片防范移动僵尸网络