ESET security researchers have discovered a different kind of Android ransomware called DoubleLocker, which encrypts data on the targeted Android device and then changes the PIN number to make the device owner fully locked out of their devices. Additionally, if the user wishes to retrieve the PIN and data, he then needs to clear the demand of the attacker.
It is the first kind of ransomware that misuses Android accessibility services which encrypt all the files on the Android device and put a ransom note.
How Does It Work?
This latest Android ransomware merges an intelligent infection mechanism including two powerful tools for extracting money from the targeted Android device. DoubleLocker ransomware misuses Android accessibility services — a trendy trick among cybercriminals.
"Its payload can change the device's PIN, preventing the victim from accessing their device and encrypts the victim's data," says Lukáš Štefanko, the malware researcher at ESET who found DoubleLocker ransomware. He also adds that this combination hasn't been seen in the Android ecosystem yet.
The DoubleLocker ransomware is based on banking malware in which the account-compromising functionality can be easily added. This DoubleLocker Android malware comes in the device in a similar way as the PC version used to hit. This malware hits the android device in the form of a fake update of Adobe's Flash Player which is driven via settled websites.
Once this ransomware affects the android device, the app then requests activation of the malware's accessibility service that is "Google Play Service". After the malware received the accessibility permissions, it uses them to turn on device administrator rights plus arrange itself as the default Home app.
DoubleLocker ransomware gives two reasons for the victims to pay. First, it manipulates the android device's PIN, efficiently blocking the user from utilizing it. Next, it encrypts all the files from the victim's device's main storage record using the AES encryption algorithm.
What If It Hits Your Android Device?
If DoubleLocker ransomware encrypts any Android device, users will have 24 hours to pay 0.0130 Bitcoin, which is almost $73.38 at the time of writing, to decrypt the data.
Users affected with the ransomware can save money by simply performing a factory reset. Formatting the device will remove the infection; however, it will also wipeout the existing data stored, that is why it is best to always keep a back-up file.