Developers of antivirus software from ESET have discovered the first encoder for mobile devices based on Android, which extorts ransom in bitcoins for unlocking the screen. Information about this company was published in the official blog on Habrahabr.
Malicious software called DoubleLocker is developed on the basis of a bank trojan, however it is not interested in the victim's finances.
DoubleLocker does not have the functions of collecting user's bank data and erasing accounts, instead it provides tools for extortion. Malware can change the PIN of the device, blocking victim access, and also encrypts all files in the main storage device - we first see such a combination of functions in the Android ecosystem.
Files, encrypted by DoubleLocker
DoubleLocker is distributed through compromised sites under the guise of updating or activating Adobe Flash Player. Once on the device, the malware gets the necessary permissions under the guise of enabling the false service Google Play Service.
To unlock the gadget, cybercriminals demand 0.0130 BTC (around $73 at the press time), threatening otherwise to destroy all the data after 24 hours. Nevertheless, according to the Blockchain.info, bitcoin-wallet of DoubleLocker is still empty.
To get rid of DoubleLocker, ESET team recommends:
- Unplugged device that does not have a mobile device management solution capable of resetting the PIN: the only way to get rid of the lock screen is to reset it to the factory settings.
- Routed device: the user can connect to the device via ADB and delete the file in which the PIN-code is stored. To do this, user must enable device debugging (Settings - Developer options - USB debugging). The lock screen will be deleted and the user will get access to the device. Then, working in safe mode, the user will be able to deactivate the device administrator rights for the malware and delete it. In some cases, a reboot of the device is required.