DoubleLocker attacks Android devices

Android users beware: new ransomware is attacking Android gadgets
13 October 2017   1658

Developers of antivirus software from ESET have discovered the first encoder for mobile devices based on Android, which extorts ransom in bitcoins for unlocking the screen. Information about this company was published in the official blog on Habrahabr.

DoubleLocker interface
DoubleLocker interface

Malicious software called DoubleLocker is developed on the basis of a bank trojan, however it is not interested in the victim's finances.

DoubleLocker does not have the functions of collecting user's bank data and erasing accounts, instead it provides tools for extortion. Malware can change the PIN of the device, blocking victim access, and also encrypts all files in the main storage device - we first see such a combination of functions in the Android ecosystem. 

ESET team

 DoubleLocker encrypted files
Files, encrypted by DoubleLocker

DoubleLocker is distributed through compromised sites under the guise of updating or activating Adobe Flash Player. Once on the device, the malware gets the necessary permissions under the guise of enabling the false service Google Play Service.

To unlock the gadget, cybercriminals demand 0.0130 BTC (around $73 at the press time), threatening otherwise to destroy all the data after 24 hours. Nevertheless, according to the, bitcoin-wallet of DoubleLocker is still empty.

DoubleLocker wallet
DoubleLocker wallet

To get rid of DoubleLocker, ESET team recommends:

  • Unplugged device that does not have a mobile device management solution capable of resetting the PIN: the only way to get rid of the lock screen is to reset it to the factory settings.
  • Routed device: the user can connect to the device via ADB and delete the file in which the PIN-code is stored. To do this, user must enable device debugging (Settings - Developer options - USB debugging). The lock screen will be deleted and the user will get access to the device. Then, working in safe mode, the user will be able to deactivate the device administrator rights for the malware and delete it. In some cases, a reboot of the device is required.

Third Party Apps Could Read Twitter Messaging

According to the company, no one used this vulnerability and the issues is now solved
18 December 2018   575

Until the beginning of December, third-party applications could access Twitter private messages. According to the company, no one took advantage of this vulnerability. Terence Eden, who found it, was paid almost $ 3,000 under the Bug Bounty program.

In 2013, there was a leak of keys to the Twitter API - so applications could access the interface bypassing the social network. To protect users, Twitter implemented an application authorization mechanism through predefined addresses (Callback URL), but it didn’t suit everyone.

Applications that do not support Callback URLs could authenticate using PIN codes. With this authorization, a window pops up that lists which data the user opens to access. The window did not request access to private messages, but in fact the application received it.

On December 6, Twitter reported that it had solved the problem. Judging by the statement of the company on the HackerOne website, no one had time to take advantage of this vulnerability.

This is not the first social network security error related to the API. In September, Twitter discovered a bug in AAAPI (Account Activity API): the system sent a copy of the user's personal message to a random recipient.