Security researchers uncover new ransomware affecting Android devices

13 Oct 201733 Shares

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Android phone. Image: P3ak/Shutterstock

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

New malware uses Android accessibility services to extort money from its victims.

Researchers at ESET have discovered innovative Android malware – dubbed DoubleLocker – which is based on the foundations of a pre-documented banking Trojan.

Rather than harvesting banking credentials from users and ransacking accounts, it uses two tools for extortion purposes. Firstly, it can change the device’s PIN, thus preventing users access to their devices. In a second blow, it can also encrypt the data it finds in the device – an unprecedented combination within the Android ecosystem. It appears as a fake Adobe Flash window and asks for activation of ‘Google Play Services’ via accessibility services created to help people with disabilities use their phone.

Lukas Stefanko, the ESET malware researcher who discovered the DoubleLocker malware, said: “Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers: two-stage malware that first tries to wipe your bank or PayPal account, and subsequently locks your device and data to request a ransom. Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May 2017.”

Criminals exploiting Android accessibility

The misuse of Android accessibility services is nothing new among cyber-criminals, but the combination of PIN change and data encryption is an unprecedented development.

The new PIN is set to a random value, which is neither stored nor sent by attackers, so it’s impossible to be recovered by security experts. Once the ransom is paid, the attacker can remotely enter the randomised PIN.

The encryption method used by DoubleLocker is the AES encryption algorithm, appending the extension ‘.cryeye’. The ransom at present has been set at approximately $54 and must be paid within 24 hours.

In the ransom note, the user is warned against removing or otherwise blocking DoubleLocker, but this advice has been dismissed by ESET as irrelevant if you have a good security solution on your device.

The only viable option if affected is a factory reset, but rooted devices can get past the PIN lock without such a reset using a more complex method. There is no way to recover the data stored on the device – all the more reason to install a good security solution and back up your data on a regular basis.

Android phone. Image: P3ak/Shutterstock

Ellen Tannam is a writer covering all manner of business and tech subjects

editorial@siliconrepublic.com