An Android ransomware dubbed DoubleLocker can lock down a victim’s phone by changing the device’s PIN and encrypting all the data stored in the device. This makes it nearly impossible for victims to access their data without paying a ransom.
According to researchers, the ransomware is distributed via a fake Adobe Flash Player apps spread using compromised websites. The ransomware asks the victim to grant administrative permissions which it then uses to activate the device’s admin rights and set itself as the default home application.
Whenever the user taps the home button, the ransomware gets activated and the device gets locked again but the user is unaware of the fact that they launch malware every time they hit the button.
The ransomware encrypts all data stored in the device using the AES encryption algorithm, which means that, theoretically, there is no way to decrypt the files without receiving the decryption key from the attackers. Justifying to its name, the ransomware uses two techniques to force its victims to pay up.
First, it changes the device PIN to a new one which isn’t stored on the phone or sent anywhere. The PIN is only reset by the attacker following payment of the ransom. Second, it encrypts all files from the device’s primary storage directory, using the AES algorithm and the “.cryeye” extension. There’s no way to recover the files without the encryption key.
The ransom to be paid within the 24-hour deadline is 0.0130 BTC ($54) which is ~ INR 4,000.
Ankush Johar, Director, HumanFirewall.io, a leading provider of human information security awareness and preparedness solutions said, “After Wanna cry and Petya, Malware developers have now struck Android by bringing in a new strain of Android ransomware attack. In case of DoubleLocker hackers have used the simplest and most effective way to trick users i.e Social Engineering. Human is the weakest link in cybersecurity and hackers have leveraged this weak link to comprise android devices. The central reason why the DoubleLocker is deadly is that it grants itself device administrative permissions (generally used by antivirus/lost phone apps). This permission gives the attacker complete remote control of the device including features like remote lock, wipe, locate, ring and change passwords.
The prevention, on the other hand, is rather simple. Think before you click! Users are advised not to click on pop-ups that ask them to install plug-ins or additional software. More importantly, look extremely carefully at the permissions you are granting an app. Never ever give device administrator permission to an application even if downloading from the official store unless you are absolutely sure that you want to give the app owners complete remote access to your device.”
Prevention is better than cure, Backup your data regularly as paying the ransom isn’t a guaranteed solution. Even if you pay the required amount there is no assurance that the hackers will abide by the rules and decrypt the files.
