DoubleLocker ransomware infects Android phones, changing the PIN

0
4
DoubleLocker ransomware infects Android phones, changing the PIN

Consider this yet another PSA on why you should never ever download Adobe Flash Player, or anything resembling it if you’re using an Android phone.

Security researchers at ESET have discovered a new kind of ransomware infecting Android phones on a level nobody’s ever seen before. Called DoubleLocker, the exploit encrypts the data on the infected device and then changes its PIN number so victims are locked out of their device unless they pay the ransom demanded by hackers.

The DoubleLocker hack is a threat to any Android device; it’s particularly worrying since it doesn’t require a “rooted” phone that gives extra access for the hacker to run its own code, but the effect is severe â€?locking the user completely out of their own device.

ESET researchers say this is the first time on Android that any malware has been created that combines both data encryption and PIN changes.

The ransomware is distributed through fake Adobe Flash Player downloads shared on compromised websites and it installs itself once you give it accessibility access through the “Google Play Service.” You can see a video of how the ransomware is triggered in the video below.

The malware installs itself as the default Android launcher, the piece of software that controls the look and feel of the device and how apps and widgets launch, and essentially creates an invisible shortcut that activates itself whenever the home button is pressed.

You’ll know your files are infected if you see a “.cryeye” extension at the end of the file.

DoubleLocker also changes your device’s PIN number to a random combination which isn’t sent to the hackers. With no digital trail, it’s virtually impossible to recover the PIN. The hackers can remotely reset the PIN when you pay the ransom.

Users with DoubleLocker-infected devices have 24 hours to pay 0.0130 Bitcoin (about $73.38 at the time of this writing) to un-encrypt their data. Fortunately, your files aren’t deleted if you don’t pay up. But still, this is ransomware and since your phone will be locked with an unknown passcode, you’re at the hackers’ mercy.

At this time the only way to remove DoubleLocker is to perform a factory reset, which will erase all of your files. 

However, if you have a phone that was rooted and in debug mode before DoubleLocker locked it up, you can bypass the malware’s randomized PIN code without a factory reset, according to WeLiveSecurity. If your device meets both of these parameters, you can by access it with the Android Debug Bridge (adb) and remove the file system where the PIN code is stored. Once that’s done, you can switch your device to “safe mode” to disable the admin permissions for the malware and remove it. It’s not an easy process and you should definitely wipe the entire device once you’ve recovered your files, just to guarantee that DoubleLocker is completely removed.

You’ll know your files are infected if you see a “.cryeye” extension at the end of the file.

In 2012, Adobe removed Flash from the Google Play Store, officially ending its development on mobile. While Flash was pivotal to the development of the interactive websites during the ’90s and early ’00s, it’s no longer relevant in mobile ecosystems.

Steve Jobs openly criticized Flash for its being a huge battery hog and for its endless security exploits. 

While no longer crucial on mobile devices â€?developers have moved on to the faster and more secure HTML 5 â€?DoubleLocker is a reminder that there are many people who aren’t informed on the dangers that come with installing Flash. 

It might take something as courageous as Adobe publicly denouncing Flash before people ingrain it in their brains that installing Flash anything is extremely insecure and not worth potentially compromising their devices.

(

LEAVE A REPLY

Please enter your comment!
Please enter your name here