DoubleLocker Android Ransomware Changes Device PIN, Attempts To Drain Bank Accounts


Cybercriminals have developed a new form of Android ransomware that gives victims added incentive to pay up. In addition to scrambling the user's data with an AES encryption algorithm, the new ransomware replaces an infected device's personal identification number (PIN) with one that is randomly generated, effectively locking the rightful owner out. One the ransom is paid, the attacker can remotely reset the PIN and unlock the device.

ESET, a security firm that offers antivirus solutions for both desktop and mobile devices, discovered the new ransomware and dubbed it DoubleLocker, since it locks users out of accessing their data in two ways.

"Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom… Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017," said Lukáš Štefanko, the ESET malware researcher who discovered DoubleLocker.

As always, safe computing habits are the best bet against falling prey to something like this. DoubleLocker spreads the same as its banking parent does—it is mostly distributed as a fake Adobe Flash Player through a compromised website. While a user might be easily duped by visiting a legitimate website that's been hacked, avoiding shadier corners of the web lessens the chance this happening.

The crooks behind this ransomware have set the ransom at 0.130 Bitcoin, worth approximately $54, with a message telling the user he or she has 24 hours to pay up. However, unlike some forms of ransomware that permanently deletes date after a set period of time, nothing happens in this case after 24 hours—the data is still on the device, albeit still encrypted as well.

Users who have rooted devices can sidestep the ransomware by factory resetting their device, assuming their device was in the debugging mode before the ransomware was activated. However, a factory reset also means losing any and all data that was stored on the device.