Malware security experts have just discovered a new Android virus version that functions both as a banking Trojan and mobile ransomware. This new threat to Android devices is known as DoubleLocker ransomware which seems to be related to the Svpeng Android banking Trojan. They share similar traits except that DoubleLocker is sophisticatedly developed.
This new Android virus uses a fake Flash Player update and trick users into downloading and installing it themselves. The fake Flash Player update might be available of various malicious websites which is why it is always recommended to stay away from third party app stores. According to Lukas Stefanko, an ESET researcher, DoubleLocker ransomware is created based on the Svpeng banking Trojan. On the other hand, the research data states that it does not have any banking-fraud related codes – although that might change once the virus is updated. Until then, the new Android virus might be used to swindle money from its victims’ banks or PayPal accounts. As of now, it functions as a ransomware virus that not only encrypts files but also locks the compromised Android device and its unlucky victims are asked to pay 0.0013 in order to regain their access to their device and restore the encrypted data.
Once the Fake Flash Player update is installed on the device, it asks users to activate “Google Play Service” – with this tactic; the virus is given permissions by the users once they activate it without knowing that they are letting the malware get admin rights to their smart phones. The instant the virus gets control on the device it sets itself as the default app and functions as a launcher. In other words, whenever users click the home button, the ransomware is activated. As mentioned, this ransomware locks the smart phone and replaces its PIN code. The ransomware also starts to encrypt files in the device using a strong AES encryption algorithm and appends them with the .cryeye file extension. After it completes the encryption, DoubleLocker ransomware delivers a ransom note telling its victims to pay the ransom if they want to access their phone and restore their files. The crooks provide detailed instruction with the promise to restore the files as soon as they receive the ransom. These promises are apparently aren’t meant to keep as cyber criminals are not known to do their end of the bargain once they receive the ransom and tend to give the victims the cold shoulder once they got what they want. Even security experts do not recommend paying the ransom and it should never even be part of the options. Instead, victims must look for ways to recover encrypted files and remove the ransomware from their Android smart phone. According to researchers, the only option for non-rooted Android device is to reset their smart phones. Meaning to say, they can remove the ransomware but they can’t recover their files, worse is they will lose all their files. On the other hand, for rooted Android devices, users can reset the PIN code using the Android Debug Bridge or the ADB tool but they still have to manually remove the ransomware from their device using a trusted and reliable mobile security program. And users can only recover their encrypted file through backups.