Scam of the Week – DoubleLocker Android Ransomware

October 20, 2017 8:21 am Paul Mullin

Cyber Criminals have been busy devising an innovative ransomware scam that attacks Android accessibility services. The hack is based on the foundations of a banking Trojan, which they leverage to extort money from its victims with experts reporting that these attacks include a combination previously unseen in the Android ecosystem.

DoubleLocker is the first known Android ransomware that both encrypts the user’s files and locks the device by changing its PIN. Double trouble, hence the name. Derived from a long-established banking malware family, experts expect the malware to attempt to steal money directly from your bank account and then to make an additional profit from you via ransom. This is what is being called a ransom-banker.

This scam goes to show the lengths cyber criminals will go to. The accessibility service is a feature of the Android operating system aimed at helping users with disabilities. Unfortunately, this service also poses a high security risk. It enables applications to perform actions like clicking on buttons in dialog boxes and system menus on the users’ behalf. In the case of malware, this is often done without their knowledge.

DoubleLocker spreads in a similar way to its banking parent. By and large it is distributed as a fake Adobe Flash Player through websites that have been compromised. Upon launch, the app requests activation of the malware’s accessibility service – Google Play. Once accessibility permissions are given, they are used to activate device administrator rights and set itself as the default home application. In both these instances without the user’s knowledge.

By setting itself as a default home app it makes users more susceptible. This means that when the user clicks on the home button, the ransomware is activated and the device locked once again. All the while, the user remains unaware that they are launching malware by tapping the home button.

The ransom has been set at 0.0130 Bitcoin (approx. $54) and the ransom states that it must be paid within 24 hours. This kind of attack serves as a reminder for us all to have a secure anti-virus software installed on all devices and to run regular backups to prevent data loss.