In July, researchers noticed a new banking Trojan virus that was attacking Android devices. Dubbed Android.BankBot.211.origin, the main method of distribution was via false Adobe Flash Player downloads and other similarly “well-known” programs. Once downloaded, Android.BankBot.211.origin would leverage the Android device’s “Accessibility Service” to control mobile devices and steal confidential bank customer information. As is the case with many forms of malicious code, threat actors are always seeking to improve on it, and Android.BankBot.211.origin is no exception. In a report by the cybersecurity firm ESET, researchers described in depth a new ransomware found in the wild that was attacking Android devices. The interesting part was how researchers uncovered that it was a variant of the Android.BankBot.211.origin banking Trojan. Named DoubleLocker ransomware, the virus is distributed via malicious Adobe Flash Player files. This is where the similarities with its parent malware begin to end, however, as the ransomware (unsurprisingly) fulfills a different function than Android.BankBot.211.origin.
DoubleLocker, being a ransomware virus, seeks to prevent access to the victim’s device. First, it changes the PIN code of the infected Android phone or tablet so that the owner of the device has no way of immediately accessing data. Second, the ransomware encrypts all files in the primary storage directory via AES encryption. The way that the ransomware attacks the system, there is no possible way to decrypt your files, instead forcing you to pay the ransom of 0.0130 bitcoins to get them back.
The only methods of purging DoubleLocker ransomware from your device is either a hard factory reset or a complicated method that is contingent on 1) your Android having root privileges and 2) debugging mode having been activated prior to the infection. As Lukáš Štefanko, the researcher who first identified DoubleLocker, instructs (as paraphrased by ESET), you must:
Connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.
The unfortunate reality with DoubleLocker ransomware is the lack of options that don’t result in total file loss. The lesson here is twofold. Firstly, be careful at all times of the files you are executing and the websites you are browsing. Secondly, routinely back up all sensitive data from your devices so that, in case you are unexpectedly infected by ransomware, the hackers do not have your hostage data as leverage.
Photo credit: Wikimedia