Ransomware has become a menace of late and it is bound to multiply with the number of smartphone users growing rapidly, especially in developing economies. It has now emerged that a new kind of ransomware is infecting Android phones in a big way.
A ransomware known as DoubleLocker can encrypt the data of an infected Android phone and change the PIN number of the device, according to security researchers at ESET. The ransomware is based on the foundations of a particular banking Trojan but doesn't use the credentials to extract cash. However, hackers use it to extort money from the victims by demanding certain amount for their handsets to be unlocked.
Also read: India among top 10 target countries for web application attacks in Q2 2017: Study
Victims of the ransomware end up paying the demanded amount as it is impossible to recover the new PIN having changed to a random value that is not even sent to the hackers. However, the attackers can reset the PIN number and unlock the device once the ransom is paid. The victims are asked to pay 0.0130 BTC (around $54) within 24 hours. Data of an infected phone is not deleted but one can't use their device until the ransom is paid.
"Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom... Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017," said Lukas Stefanko, the ESET malware researcher who discovered DoubleLocker.
How does the ransomware spread?
Well, researchers at ESET have said that DoubleLocker malware is distributed through fake Adobe Flash Player via compromised websites. It will be installed once Android phone users accept request to activate the malware's accessibility access through Google Play Service.
"Setting itself as a default home app – a launcher – is a trick that improves the malware's persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn't know that they launch malware by hitting Home," said Stefanko.
How to remove malware from your smartphone
The only way to remove the DoubleLocker ransomware is through a factory reset but you can avoid this process if you have a rooted device. The researchers said that "the device needed to be in the debugging mode before the ransomware got activated" for this method to work.
"If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and install it. In some cases, a device reboot is needed," according to WeLiveSecurity.
Well, the best way to stay away from DoubleLocker ransomware is not to ever download Adobe Flash Player on your Android phone.