ESET researchers have discovered DoubleLocker, an innovative Android malware that combines a cunning infection mechanism with two powerful tools for extorting money from its victims.
Detected by ESET products as Android/DoubleLocker, it is based on the foundations of the banking Trojan Android.BankBot.211.origin, renowned for misusing accessibility services of the Android operating system, which is a popular trick among cybercriminals.
“DoubleLocker’s payload can change the device’s PIN, preventing the victim from accessing their device and encrypts the victim’s data. Such a combination hasn’t been seen yet in the Android ecosystem,” comments Lukáš Štefanko, ESET Malware Researcher who discovered DoubleLocker.
DoubleLocker spreads in the very same way as its banking parent does. It is distributed mostly as a fake Adobe Flash Player through compromised websites. Once launched, the app requests activation of the malware’s accessibility service, named ‘Google Play Service’.
After the malware obtains the accessibility permissions, it uses them to activate device administrator rights and set itself as the default Home application, in both cases without the user’s consent.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launched malware by hitting Home,” explains Stefanko.
DoubleLocker however lacks the functions related to harvesting users’ banking credentials and wiping out their accounts, but which can be added easily.
“Given its banking malware roots, DoubleLocker may well be turned into what can be called ransom-bankers. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom”,says Stefanko who adds that a test version of such a ransom-banker was spotted in the wild as long ago as May, 2017.
DoubleLocker, once executed on the device, creates two reasons for the victims to pay.
First, it changes the device’s PIN, effectively blocking the victim from using it. The new PIN is set to a random value which is neither stored on the device nor sent anywhere, so it’s impossible for the user or a security expert to recover it. After the ransom is paid, the attacker can remotely reset the PIN and unlock the device.
Second, DoubleLocker encrypts all files from the device’s primary storage directory. It utilizes the AES encryption algorithm, appending the filename extension “.cryeye”. The ransom has been set to 0.0130 BTC (approximately US $54 at time of writing) and the message highlights that it must be paid within 24 hours. However, if the ransom is not paid, the data will remain encrypted and will not be deleted.
Figure 1: Encrypted files on a device infected with DoubleLocker
Figure 2: DoubleLocker ransom message
In the ransom note, the user is warned against removing or otherwise blocking DoubleLocker: To prevent unwanted removal of the “software”, the crooks even recommend disabling the user’s antivirus software.
“Such advice is irrelevant: all those with a quality security solution installed on their devices are safe from DoubleLocker,” comments Štefanko.
To clean your device of the DoubleLocker for devices that are not rooted and which don’t have a mobile device management solution installed capable of resetting the PIN, the only way to remove the PIN lock screen is via a factory reset.
If the device is rooted, then the user can connect to the device by ADB and remove the file where the PIN is stored. For this to work, the device needs to have debugging enabled (Settings -> Developer options -> USB Debugging).
The PIN or password lock screen will be removed and the user can access the device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.
“DoubleLocker serves as just another reason for mobile users to have a quality security solution installed, and to back up their data on a regular basis,” concludes Štefanko.