Ransomware has been a headache for most of PC users since the past decade. However, the virus has now spread to android devices. A new kind of ransomware has been circulating which encrypts everything on your android phone. It can even change the PIN of your phone. Thus, rendering the phone completely useless. The malware has been identified as DoubleLocker by researchers at ESET. They were the ones who discovered the ransomware and it has been reported that the ransomware spreads through a so-called Adobe Flash update which users install from third party websites.
As the download finishes, the fake Adobe Flash app asks for user permissions in the name of activating Google Play Services. As soon as those permissions are granted, a number of vulnerabilities are exploited through the ‘Accessibility’ function of the android phone. The Accessibility function helps people with disabilities use their phone more efficiently.
Once the virus gains accessibility functions, it gets the power to install scripts on the device through the Accessibility function. It is designed to install scripts and read text through them. This technique of infiltrating a device has been previously used by data-stealing Android Trojans. However, a ransomware based on this technique is a first.
After getting a hold of all the necessary permissions, DoubleLocker then installs the ransomware as the default home application. This means that the next time the user presses the home button, he will be redirected to the ransomware screen as it has been set as the default home app.
Malware researcher at ESET, Lukáš Štefanko said:
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launched malware by hitting Home”
Quick Read: How much personal data are you sharing?
The ransomware locks the device completely in the two following steps:
- The files on the device are encrypted through the AES encryption algorithm with the ‘cryeye’
- Secondly, the PIN of the device is changed blocking the user from using the device in any other way.
The encryption is very effective and users cannot decrypt their files unless they have the key. Moreover, the PIN is set to a random number which even the hackers don’t store themselves. The PIN is remotely reset after the ransom has been paid.
The hackers demand not a big amount of money as they might think that a small amount of money will surely be delivered by users in order to unlock their phones. The hackers demand a ransom of 0.0130 Bitcoin which amounts to $73 right now.
Within 24 hours of the attack, the user is asked to pay the ransom. Failing to do so might result in permanent loss of data. This means that if a user doesn’t pay the ransom in the limited time, he will never get his files back, ever.
One way to get rid of the ransomware is to factory reset the device through recovery mode but that will lead to the loss of data altogether which is also the case if the user doesn’t pay the ransom. So, it is up to you whether you want to delete the data yourself or let the hackers take care of it.
However, rooted users have an advantage here as they can get rid of the PIN lock by deleting the file that contains the PIN. However, this is only possible if debugging is already enabled on the phone before the ransomware was installed.
Prevention is better than cure
Prevention is always better than getting your data deleted altogether. Users should observe things that they download and avoid downloading anything that looks suspicious. Moreover, a backup of your data should always be kept just in case things go wrong.