DoubleLocker is based on a banking Trojan, so in the first instance collects the bank or PayPal credentials of the users to empty their accounts or even eliminate them. In addition, it is able to encrypt the accessibility data of the infected device and then change the PIN number. Thus, users can not access their equipment until they pay the ransom demanded by the cybercriminals. The new PIN is set based on a random value, so it is not stored on the device or sent to another location. This is why neither the user nor a security expert can recover it. After the extortion payment has been made, the cybercriminal resets the PIN remotely and unlocks the device. The amount of the requested bailout is 0.0130 Bitcoins and must be made within the first 24 hours. Otherwise, the data will remain encrypted but will not be deleted. According to the company’s researchers in computer security, this is the first time Android malware has been created that combines both data encryption and PIN change. “Due to its banking threat roots, DoubleLocker could well become what we can call ransom-bankers. It is malware that works in two stages. First, try to empty your bank account or PayPal and then lock your device and information to request the payment of the ransom. Leaving the speculation aside, the first time we saw a trial version of such a ransom-banker was in May 2017,” said Lukas Stefanko, who discovered DoubleLocker. Ransomware spreads via fake Adobe Flash Player downloads from compromised websites and installs itself after it is granted access through the Google Play service. Once it obtains the accessibility permissions, it activates the administrator rights of the phone and set it as a default Home application without the user’s consent. “Establishing itself as a default startup application (a launcher) is a trick that improves the persistence of malware. Each time the user clicks the Start button, the ransomware get activated and the device gets locked again. Thanks to the use of the accessibility service, the user does not know that it executes malware by pressing Start,” explained Stefanko.
ESET researchers show in the video below how this ransomware works:-
How to protect yourself from DoubleLocker?
The recommendation of Stefanko is to perform the factory reset of the device. However, it is possible to overcome the PIN lock without restarting it on connected smartphones, only if they were in debug mode before ransomware was activated. In that case, the user can connect through ADB and delete the system file that stores the PIN. This will unlock the screen and can be accessed. You can also disable the smartphone administrator rights for the malware and uninstall it. For this, sometimes it is necessary to restart it. So, what do you think about this? Simply share your views and thoughts in the comment section below.