Ransomware encrypts files and changes pin on Android phones
Researchers at security firm ESET have discovered Android ransomware that they have named DoubleLocker. This variant encrypts files and changes a device’s PIN code in order to force payment.
According to the researchers, the malware uses Android’s accessibility options to grant itself administrative privileges. To do this, the malware requests access to the Google Play Service. In addition, this way the malware can reactivate itself every time the victim presses the Home button. ESET writes that the malware is distributed through acquired sites and that this variant masquerades as a Flash Player app.
Once DoubleLocker has obtained the necessary permissions, the ransomware can replace the PIN code of the victim’s device with a random code, which is not stored or sent. Therefore, it would not be possible for the victim or an investigator to retrieve the code. In addition, the malware encrypts files in the root directory with aes encryption, which the researchers say contains no bugs in the implementation.
In this way, the ransomware aims to force payment of ransom. That equates to 0.013 bitcoin, which at the current price is around 50 euros. The victim is given 24 hours to pay, but after the expiry of that period, the encrypted data will not be deleted, according to ESET. The ransomware could only be removed from an infected device by restoring it to factory settings.
If the malicious software has not yet been activated, this can also be done on a rooted device by connecting via adb and deleting the system pin code file and revoke the app’s administrator privileges in safe mode.