Techie Explains DoubleLocker Ransomware

From the name itself you might have got an idea about what is this. DoubleLocker meaning it will lock your files with a key and you will have to pay some ransom amount in Bitcoin to free your device.

So this ransomware is exclusively attacking Android Smartphones. It was first detected by an antivirus company named ESET. The ransomware is based on the foundations of a particular banking Trojan, known for misusing accessibility services of the Android operating system. This ransomware does not have functions to harvest user banking credentials and wiping out their accounts. Instead it has two powerful tools to extort money from victims.

 

Activation of this ransomware:

  • The ransomware is spread through a fake APK file which is Adobe Flash Player. This is possible through suspicious and compromised websites. For e.g., a user is watching a video on some website and the website prompts to install the application so that the video will be able to play on the device. Bam! The user downloads the application.
  • The user might think it is a genuine application and installs on his/her device.
  • Once the application is launched, it requests to activate the malware’s accessibility service named Google Play Service.
  • Once the accessibility is given to the application, without the user knowledge, it activates Device Administrator rights and sets itself as default Home Application.
  • And behold, the malware is activated on your device.

 

What does the ransomware do after activation:

Double Locker attacks Android devices in two ways:

  • It encrypts all data with Advanced Encryption Standard (AES) mechanism
  • It corrupts with .cyreye file extension

Now it can also carry out various other tasks other than encryption and corruption. It changes the device’s PIN, effectively blocking the victim from using it.  The new PIN is set to a random value which the attackers neither store nor send anywhere, so it’s impossible for the user or a security expert to recover it. After the ransom is paid, the attacker can remotely reset the PIN and unlock the device. The ransom has been set to 0.0130 BTC (approximately USD 54) and the message highlights that it must be paid within 24 hours. However, if the ransom is not paid, the data will remain encrypted and will not be deleted.

 

How to get rid of it?

The ransomware states that the original files will not be able to recover without the software. It also asks the user to uninstall or disable the antivirus application. All this is irrelevant as any smartphone with any genuine antivirus software is not going to be affected by this ransomware.

So what is the solution to get rid of this ransomware?

  • The safest and the most optimal solution is a factory reset of your device.
  • For rooted devices, there is a method to get past the PIN lock without a factory reset. The device needed to be in the debugging mode before the ransomware got activated. The user can then connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. In safe mode, the user can deactivate device administrator rights for the malware and uninstall it.

The only sad part is that there is no way to recover your data back once the data is affected by this ransomware. If you have backup of your data then there is no need to worry. If you do not have a backup, rooting is the solution to recover your data. If that didn’t work too, paying ransom is the only option to recover data, which is not recommended since there is no assurance of getting the data back.

 

What do we learn from this?

  • Stay away from hoax websites
  • Do not download any unwanted applications from any website
  • Always backup your data
  • Keep your device secure by installing any antivirus software if needed

Stay safe guys!!

Article Sources:

 

If you would like to know more about this malware on how it is working, you can refer the video posted below. This is a video which is made by ESET.

Leave a Reply

Your email address will not be published. Required fields are marked *