A newly discovered ransomware family targeting Android devices is abusing the platform’s accessibility services, ESET warns.
Dubbed DoubleLocker, this innovative Android malware doesn’t merely encrypt users’ data, but also locks the infected devices down, security researchers from ESET say.
The ransomware is based on the source code of BankBot banking Trojan, which is already known for misusing accessibility services on Android. However, the new malware family lacks the functions related to harvesting users’ banking credentials and instead uses two other tools for extorting money from its victims.
BankBot had its source code leaked online in late 2016, which already spawned numerous banking Trojan variations. However, DoubleLocker is the first Android ransomware to leverage the leaked code.
DoubleLocker mainly spreads as a fake Adobe Flash Player application downloadable through compromised websites. Once installed on the victim’s device, it requests activation of the accessibility service called “Google Play Service,” which allows it to gain administrator rights and set itself as the default Home application, without the user’s consent.
The malware also changes the device’s PIN code, thus blocking the victim out. The new PIN is a randomly generated value that isn’t stored on the device or sent out, thus preventing the user from recovering it. The attackers, however, have the possibility to remotely reset the PIN and unlock the device.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launched malware by hitting Home,” explains ESET Malware Researcher Lukáš Štefanko.
Next, the ransomware encrypts all of the files located in the device’s primary storage directory. The malware uses the AES encryption algorithm for this operation and appends the .cryeye extension to the affected files.
The ransom note claims that the original files have been deleted and that users should pay the ransom within 24 hours. The malware asks for a 0.0130 Bitcoin ransom (around $50) and displays a QR code that should make it easier for victims to pay.
“DoubleLocker misuses Android accessibility services, which is a popular trick among cybercriminals. Its payload can change the device’s PIN, preventing the victim from accessing their device and encrypts the victim’s data. Such a combination hasn’t been seen yet in the Android ecosystem,” Štefanko says.
The security researcher also points out that, although the ransomware lacks the credential harvesting capabilities BankBot has, such functionality could be easily added to it.
“Given its banking malware roots, DoubleLocker may well be turned into what can be called ransom-bankers. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom… Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017,” warns Štefanko.