Double Locker: The two-step ransomware exposed

Double Locker is two-step ransomware which adopts a dual-locking approach. In addition to encrypting all the user data, it also locks the device by exploiting its accessibility settings.

Researchers from cybersecurity firm ESET have discovered a new type of ransomware in Android devices that have been spreading through counterfeit applications. The ransomware, named as Double Locker, is a two-stage malware which is not only capable of encrypting the user’s data on a device but also holds the ability to change the security PIN code, thus adopting a double-locking approach.

Double Locker affects the android devices primarily in two ways: First, encrypts all the data files with AES encryption mechanism and corrupts the same with the .cyreye file extension. Second, it affects the accessibility by changing the pin of the device.

According to the research, the ransomware’s code is based on a particular banking Trojan known as Android.BankBot.211.origin, which compels users to give accessibility permission.

Double Locker encrypts all files in the primary storage by utilizing AES encryption algorithm and attaches the extension .cryeye. Attackers have set the ransom at 0.013 Bitcoin (approx. USD 70), which is demanded to be paid within 24 hours of the attack. “Double Locker affects the android devices primarily in two ways: first, encrypts all the data files with AES encryption mechanism and corrupts the same with the .cyreye file extension, thus becoming a perfect case for a ransom demand. Additionally, the malicious software also affects the accessibility of the devices by changing the pin of the device, which cannot be accessed by the users,” explained Sandeep Sharma, Associate Research Manager – Software and Services at IDC.
Ransomware’s dual-lock approach
According to ESET researchers, Double Locker is more advanced when compared to other types of Android ransomware because it is the first of its kind to abuse the device accessibility setting to have access to device administrator in order to control the device. After gaining the admin rights, the malware sets itself as the default home app on the device, which is a persistence mechanism to block the users from bypassing the lock. So, every time a user clicks on the home button, the ransomware gets reactivated over and over.
Distributed as a fake flash player
The ransomware is reportedly spread through malware-infected websites as a fake flash player, wherein visitors are tricked into downloading the application. “The attackers are trying to pose the ransomware as a flash player. Once users visit a website to watch visual content, they are forced to download fake flash applications through malicious pop-ups which state they would not be able to stream videos unless they install the Adobe Flash Player,” says Rakshit Tandon, Consultant – Security, Internet & Mobile Association of India.
What if a user is attacked?
According to experts, if a user already has a backup of all data on the attacked the device, the attack is only benign and with a factory reset, the device will be back to normal. For devices not having backups, it is still possible to recover the data only in case the device is rooted and has its debugging mode on. Otherwise, paying the ransom is the only option for data recovery, which experts do not recommend. Instead, it is recommended by experts to always have a backup of all the important data.