Here is a surprise, there is ransomware targeting Android devices that focuses on accessibility services, researchers said.
The DoubleLocker ransomware not only encrypts users’ data, but it also locks the infected devices down, said researchers from ESET.
The ransomware is based on the source code of BankBot banking Trojan.
The ransomware uses two tools for extorting money from its victims.
DoubleLocker spreads as a fake Adobe Flash Player application downloadable through compromised websites, researchers said in a post. Once installed on the victim’s device, it requests activation of the accessibility service called “Google Play Service,” which allows it to gain administrator rights and set itself as the default Home application, without the user’s consent.
The malware also changes the device’s PIN code, thus blocking the victim out. The new PIN is randomly generated and does not end up stored on the device. The attackers, however, have the possibility to remotely reset the PIN and unlock the device.
“Setting itself as a default home app — a launcher — is a trick that improves the malware’s persistence,” said ESET malware researcher Lukáš Štefanko. “Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launched malware by hitting Home.”
The ransomware then encrypts all files located in the device’s primary storage directory. The malware uses the AES encryption algorithm for this operation and appends the .cryeye extension to the affected files.
The ransom note tells the victim the original files have been deleted and users should pay the ransom within 24 hours. The malware asks for a 0.0130 Bitcoin ransom (around $50) and displays a QR code that should make it easier for victims to pay.
“DoubleLocker misuses Android accessibility services, which is a popular trick among cybercriminals. Its payload can change the device’s PIN, preventing the victim from accessing their device and encrypts the victim’s data. Such a combination hasn’t been seen yet in the Android ecosystem,” Štefanko said.
For rooted devices, there is a method to get past the PIN lock without a factory reset. For the method to work, the device needed to be in the debugging mode before the ransomware got activated.
If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.
“DoubleLocker serves as just another reason for mobile users to have a quality security solution installed, and to back up their data on a regular basis,” Štefanko said.