Android Ransomware Alert! DoubleLocker changes your phone’s PIN and encrypts your data

DoubleLocker is an Android ransomware the likes of which have never been seen before. The malware is designed to launch a two-pronged attack – it locks down the phone it infects and encrypts all files stored on the device.

What is spreading DoubleLocker ransomware?
The malware gets into a device when a user is tricked into installing a malicious Adobe Flash Player app from a compromised website.

Once installed, the app asks the user to activate the ‘Google Play Services’ accessibility feature. As the app disables the phone ‘Back’ button, the user has to tap on the Home button to close the prompt.  This prompt keeps appearing at frequent intervals of time to instigate the user to turn on the accessibility feature. And if the user falls for this trick, the app then gains device administrator rights to carry out its malicious activities.

For your information, Accessibility service is a feature of the Android operating system aimed at helping users with disabilities 

Why is DoubleLocker so dangerous?
DoubleLocker locks the infected device by changing its PIN to a random combination. The new PIN cannot be recovered because it does not get stored on the device nor sent anywhere. Thereafter, it encrypts all the files stored on the device’s primary storage using AES encryption algorithm. Files encrypted by this ransomware have a “.cryeye” extension.

DoubleLocker is more sophisticated and dangerous than other Android ransomware because it tries to remain persistent on the infected device. It does this by setting itself as the default Home app (the home button) by abusing the device admin rights without the user’s knowledge. So, every time the user taps on or presses the Home button, the ransomware gets reactivated and the phone gets locked again. This means, even if the user somehow bypasses the lock screen, pressing the Home button will lock the device again.

The ransom
DoubleLocker demands a ransom of 0.013 Bitcoin ($76.31 at the time of writing this post) to unlock the device and decrypting the files. According to the ransom note, the ransom has to be paid within 24 hours otherwise the data will remain encrypted permanently.

Ransom note

What to do if your phone is infected by DoubleLocker?
Factory resetting the infected device will get rid of the ransomware but would also erase all files stored on the device. In any case, paying the ransom is not advised – there is no guarantee if your phone or files will get back to normal.

How to stay safe from such malware?

> Never download apps from third-party app stores or websites that do not belong to the app’s manufacturer.

> Do not download apps by clicking on advertisements or links received in emails, SMS, and WhatsApp messages.

> Backup all important data in a secure online and offline location.

> Use a reliable mobile security app that can block access to compromised websites and prevent fake or malicious apps from getting installed on your phone.

If you found this article helpful, share it with your friends and acquaintances.

Sources:

www.economictimes.indiatimes.com
https://www.firstpost.com
www.theregister.co.uk

Rajiv Singha