Buzz
Numerous Android apps offer screen lock customization. However, beware of DoubleLocker ransomware lurking amidst such setups.
DoubleLocker ransomware not only encrypts user data but also alters PIN codes to extort money from victims.
Security researchers at ESET have uncovered DoubleLocker. This ransomware exploits Android device access permissions, pioneering the double-lock approach.
DoubleLocker focuses solely on ransom demands and does not access detailed banking information stored on mobile devices and tablets.
DoubleLocker spreads disguised as a fake Adobe Flash Player version, utilizing clever tricks to activate itself - allowing assistive services, then setting itself as the default Home button.
Lukáš Štefanko, malware researcher at ESET and the discoverer of DoubleLocker, explains:
DoubleLocker sets itself as the default Home button, a launcher - a trick to enhance the malware's resilience. Whenever the user presses the Home button, this ransomware is triggered, and the device gets locked. Utilizing Accessibility services, users remain unaware they're running malware when pressing Home.
Upon activation, DoubleLocker first changes the device's PIN code to random digits. This password isn't stored on the target device, making it impossible to determine what it is. This serves as the initial motive to extort victims, and after they've paid the ransom, the PIN code can be remotely reset.
Encrypting data using AES encryption algorithm, appending the '.ryry' extension serves as the second motive.
Štefanko also advises users:
- Encryption done right means if unfortunately your device falls victim, there's no way to recover files unless you obtain the encryption key from the attacker.
- If you've previously planned a data backup, you can eradicate ransomware without paying any ransom to the attacker, as shared by ESET:
The most feasible option to 'clean up' DoubleLocker ransomware on your device is to perform a factory reset - restoring your Android device back to its manufacturer's initial state.
You can refer back to the guide on how to perform Android factory reset here.
For rooted devices, there's a way to bypass the locked PIN without resorting to a factory reset. With this method, your device needs to be put into Debugging Mode before the ransomware is activated.
If this condition is met, users can connect to the device via ADB and delete system files where the PIN code is stored on the Android device. This action will unlock a screen for users to access their device.
Afterwards, accessing Safe Mode, users can disable device administration rights for the malware and uninstall it. In some cases, the device may require a reboot.
https://Mytour.vn/ransomware-doublelocker-21862n.aspx
For data stored on the device, there's no way to recover it.
