A new form of Android ransomware encrypts victims’ data and changes their PIN, making it almost impossible to get their files back without paying a ransom.Dubbed DoubleLocker by researchers at ESET who discovered it, the ransomware is spread as a fake Adobe Flash update via compromised websites.
Once downloaded onto the device, the fake Adobe Flash app asks for activation of ‘Google Play Services’ exploiting a series of permissions via accessibility services, a function designed to help people with disabilities use their phone.
These include retrieval of window content, turning on enhanced web accessibility for the purposes of installing scripts and observing typed in text. The same technique of abusing accessibility services has previously been exploited by data-stealing Android trojans, but this is the first time it has been seen in ransomware.
Once given the appropriate permissions, DoubleLocker installs the ransomware as the default Home application, meaning the next time the user visits their home screen, they’re faced with a ransom note.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launched malware by hitting Home,” says Lukáš Štefanko, malware researcher at ESET.
DoubleLocker ransomware note. Image: ESET
DoubleLocker locks the device in two ways. First, like other forms of ransomware, it encrypts the files on the device, in this case utilizing the AES encryption algorithm with the extension “cryeye”. Unfortunately for victims, the encryption is applied effectively, meaning there’s currently no way of retrieving the files without the key.
Secondly, the ransomware changes the PIN of device, effectively blocking the victim from using it in any way at all. The PIN is set to a random number which the attackers don’t store themselves, meaning its impossible to recover access to the device. The attackers remotely reset the PIN when the device is unlocked after the ransom is paid.