back to article Android ransomware DoubleLocker encrypts data and changes PINs

Crooks have come up with a strain of Android ransomware that both encrypts user data and locks victims out of compromised devices by changing PINs. DoubleLocker combines a cunning infection mechanism with two powerful tools for extorting money from its victims. "Its payload can change the device's PIN, preventing the victim …

  1. kain preacher

    Wait last time I wanted to use flash on an android I had to manually install it. In Fact I had to go to an archived flash site to get it as flash has not been offered on google play for quite some time.

    1. Tigra 07

      RE: Kain

      It's likely targeted at the idiots that fall for these kind of scams.

      The same people who click on flashing banners on websites saying "You've won, click here to get your prize".

      The very same people who think they've won the Nigerian lottery when checking their email.

      I'm ashamed to admit that I know two such people, with the one believing the toilet won't flush during a power cut...

      1. Rob Crawford

        Re: RE: Kain

        Maybe you should plug their toilet in and do the human race a favour

      2. GBE

        Re: RE: Kain

        "I'm ashamed to admit that I know two such people, with the one believing the toilet won't flush during a

        power cut..."

        Whether or not your toilet continues to flush during a power cut depends on what you use for a water source. I've lived places where it would flush a few times during a power cut, but eventually it wouldn't.

      3. kain preacher

        Re: RE: Kain

        Tigra 07 I do believe this is above the skill set of these idiots to do it. I had to find the flash web site, put it on an SD card . Then scroll through the settings to allow me to install apps from entrusted source. Try asking the average android use how to find files (using the file manger app) on their phone. See what happens.

      4. Terry 6 Silver badge

        Re: RE: Kain

        Actually. We do have a toilet that won't flush ( or rather won't refill after one flush) if the power goes off. The water supply is pumped to it. That being said, I did have to explain, patiently, to a worried shop keeper that, despite the message he'd just been sent over the Interweb, any of the old round £1 coins in his till wouldn't become worthless overnight just because they stopped being legal tender .

        1. Tigra 07

          Re: RE: Terry

          An electric toilet? What a world we live in...

          And for the record, said person who thinks our toilet needs a power supply will believe ANYTHING you tell her...

    2. Anonymous Coward
      Anonymous Coward

      Yep, the potential infection rate of this "news" is basically zero (when you exclude "researchers" actively getting it).

      You not only have to manually install flash, you have to grant lots of permissions, grant accessibility permission, activate it as a device administrator, that before we even bring in the other big guns like Google's on device app scanning, which you would have to have opted out of...

      It's quite embarrassing how these hypothetical infections are making news. it's as if they NEED the clicks that go with them.

      1. Anonymous Coward
        Anonymous Coward

        Just, probably a lot of porn still requires Flash....

        1. Anonymous Coward
          Anonymous Coward

          >porn still requires Flash....

          it doesn't anymore and hasn't for years - according to a friend.

          1. Anonymous Coward
            Anonymous Coward

            Re: >porn still requires Flash....

            Ahem porn sites were one of the first to switch over to HTML 5. So I was told by my hot busty sectary that is always bending over.

            Wait what do you mean that this post is pure work of fantasy? No no I do not look at porn much, on days that have U,E,S or N in them.

            1. Anonymous Coward
              Anonymous Coward

              Re: >porn still requires Flash....

              Yet, a compromised porn site will tell you "you need to install this to watch", and et-voilà!

            2. Dr Mantis Toboggan

              Re: >porn still requires Flash....

              90% of el reg security acticles are pure fantasy. They stopped reporting real tech news years ago

          2. 's water music

            Re: >porn still requires Flash....

            it doesn't anymore and hasn't for years

            Eeww, I thought we were still talking about toilet's not flushing for a moment there

        2. Anonymous Coward
          Anonymous Coward

          Umm, they do not

          The big names have moved to HTML5 video for quite a while. However, there are ads on those sites for various "games" which do require Flash.

        3. Anonymous Coward
          Anonymous Coward

          Nope.

          I have done extensive research on this, and can definitely confirm its not true. If it needs Flash, its not porn, its malware.

          (I watched the porn so you don't have to).

          1. Anonymous Coward
            Anonymous Coward

            Re: Nope.

            You are obviously a very good person for doing this for the rest of us. Thank you!

        4. katrinab Silver badge

          “Just, probably a lot of porn still requires Flash....”

          All the porn sites I visit work fine on my iPad, which doesn’t have Flash.

          Anyway, why do men feel the need to pretend they never look at porn?

          1. Kiwi

            Anyway, why do men feel the need to pretend they never look at porn?

            Some of us never do...

            At least not for the last few years anyway, back around '06 it actually was bordering on an addiction for me for a while. Got myself some help (from a very good friend who waived all fees for the time we spent) but, like with smoking and alcoholism, I have to be careful not to touch it again or I could easily be hooked again. It wasn't being done to "fulfill some deep childhood need" or other stuff like that which many psychs will mention, it started as something where an employer asked me to help keep the work computers clean, something tickled my fancy (actually I think it was a curiosity about someone I thought I might've known in a video, downloaded it at home or something like that), and when I was bored I'd find some entertainment. If only I'd found cat videos instead when I went searching for "pussy"...

      2. RyokuMas
        Facepalm

        Better they are reported now than after it has been re-engineered in such a way that it can circumvent Play Store security.

        It's very embarrassing how some people either have their heads stuck in the sand over potential security issues... or is this a case of attempted reputation damage limitation?

        1. Anonymous Coward
          Anonymous Coward

          If reporting was the aim, then contacting Google is appropriate. This is paid viral clickbait with a hidden agenda.

      3. Anonymous Coward
        Meh

        "You not only have to manually install flash, you have to grant lots of permissions, grant accessibility permission, activate it as a device administrator, "

        So less permissions than your average torch or photo app then?

        1. Anonymous Coward
          Anonymous Coward

          What torch app requires device administration?? That is not your usual android security permission prompt, it's a full screen activation activity.

          Please tell...

          1. Kiwi
            Facepalm

            What torch app requires device administration?? That is not your usual android security permission prompt, it's a full screen activation activity

            What Android user bothers to read the warning before clicking "PWN MEOK"?

    3. TheVogon

      Android security is terrible. My device is not rooted .I only install from the Playstore. Yet I had malware (called Expensive Wall) register me for a premium rate service (which fortunately I cancelled before being charged)

      1. mark l 2 Silver badge

        If your Android phone is a cheapy Chinese one then you might find that your phone had malware built into the ROM from the vendor so you don't need to install any apps to get popup and random app installs. Doogee have a big problem with this but it doesn't show until you have been using the phone for about a month so they can claim it must be an app you have installed.

        1. TheVogon

          My phone is a Galaxy S8+ from a UK vendor. Still got malware from the PlayStore...

  2. Anonymous Coward
    Anonymous Coward

    How does it change the devices PIN? Why would Google expose an API to allow this, rather than all pin services being privileged and handled by some super-secure unspoofable protected layer of the OS? Seriously, what kind of fuckwits do they have coding Android?

    Edit. Apparently this does the trick. Google truly -are- fuckwits.

    https://stackoverflow.com/questions/12453926/change-pin-programmatically

    1. Anonymous Coward
      Anonymous Coward

      No, they have to accommodate people who, you know, may not be able to touch the screen or even use a mouse. They can get in legal trouble, otherwise, for not catering to the disabled. Device Administrator privileges tend to tie-in to Accessibility features.

      1. Anonymous Coward
        Anonymous Coward

        This would be easy to fix if they have a switch somewhere in the accessibility menu to allow other programs to set a PIN. Most people don't need accessibility options, so having something like this enabled by default isn't that great. If the only people who could be attacked by this malware were people who had enabled this option, the malware writers wouldn't bother.

        1. Charles 9

          Point is, its mere existence also means the ability to enable it with the right sequence of events. And the law MANDATES its existence. Ergo, you can't win.

    2. Anonymous Coward
      Anonymous Coward

      This is a requirement in enterprise, how else would MDM be able to remote-reset a pin?

      It's not an open API any app can use, the app must be verified by the OS (read user) via a full-screen (probably ignored) security warning. Changing your pin is the least of you concerns if you give an app this permission. It literally is an admin, and can encrypt/wipe the entire device if it wants.

      Removing this functionality would make Android unmanageable in enterprise.

      1. Anonymous Coward
        Anonymous Coward

        It could be restricted so you're only allowed to use it on a device that's under management. The majority are not, so that would protect most of them. Presumably the transactions for remote reset / remote wipe / etc. require a certificate that gets installed when a device is managed, otherwise you have bigger things to worry about.

        1. Anonymous Coward
          Anonymous Coward

          "It could be restricted so you're only allowed to use it on a device that's under management."

          The permission is required for the management software, you must give the management software this permission for it to manage the device. Therefore the device cannot be "under management" without first giving out this permission.

          Users are giving the permission to rogue apps. The only solution around social engineering is education. Unfortunately the masses don't want to be educated.

  3. fidodogbreath

    Apple tax?

    This is the kind of crap that made me dump Android. The accessibility service security was supposedly improved in Oreo, but most Android users will never see that unless they buy a new phone.

    A brand new Pixel 2 costs about the same as an iPhone 8, but is only promised OS and security updates for three years from release. Based on previous history, an iPhone 8 buyer can expect to receive full OS and security updates through 2022. To achieve that same level of currency, you'd have to buy another new Pixel phone in 2020. That makes even the most-supported Android phone 2x more expensive over 5 years than Apple's offering.

  4. Nick London

    It only says it is a Flash update.

    Updating Flash was a regular chore on my web browser until HTML5 came along. Most people wont have a clue whether Android uses Flash or not. So they are more likely than not to push the update button.

    And who worries about permissions except the tin foil in the hat brigade. They should but they don't.

    1. Anonymous Coward
      Anonymous Coward

      Re: It only says it is a Flash update.

      So I guess all that is required is you visit a site they've hacked? This could be almost any site given how many major sites don't keep up with patching, let alone the lesser ones. Imagine if someone hacked a site like yahoo.com with this payload?

      I agree that presenting itself as a flash update is a smart strategy. Adobe's constant barrage of patches has trained PC users to click 'yes' on anything related to flash, and most people won't know that flash isn't even supported on Android. Much more likely to fool people than previous strategies trying to find those dumb enough to click yes to install a free app with celebrity nudes or whatever.

      The big problem is that this could be sort of the "gift that keeps on giving". They hack a few sites, hit some people, then the sites are fixed. Hack another few sites, hit more people, and so on. Since the majority of Android phones won't see a fix for this, it could keep dribbling on and on for a long time. If they ever hit a really major site, look out!

      Probably will also see some copycats, since you merely need modify the attack to deposit the bitcoins in YOUR wallet instead of the wallet belonging to whoever created this, and find your own web sites to hack.

  5. Anonymous Coward
    Anonymous Coward

    Oh and folks what every you do do not ever look up angry beaver porn ,zombie porn or angry zombie beaver porn .

    1. Anonymous South African Coward Bronze badge

      I see what you did there....

  6. Charles 9

    I'm waiting for an Android malware that can war-drive a vanilla device in the field, without special privileged, completely pwn it, and find a way to persist even after a factory reset. THEN I'll be interested.

    1. fidodogbreath

      I'm waiting for an Android malware that can war-drive a vanilla device in the field, without special privileged, completely pwn it, and find a way to persist even after a factory reset. THEN I'll be interested.

      The Broadcom WiFi bug allows remote code execution in the context of the kernel. It was patched in 2016, but a lot of devices never received an update for it.

  7. Anonymous South African Coward Bronze badge

    I have to assume that files on your SD card also get encrypted?

    What about dropbox or google drive (or any cloudy file storage for that matter)?

  8. Anonymous Coward
    Facepalm

    DoubleLocker combines a cunning infection mechanism

    DoubleLocker would be dangerous if it installs without visiting a compromised website and explicidly downloading and installing the fake Flash update.

  9. Anonymous Coward
    Anonymous Coward

    Re. dumbasses

    I have no sympathy for phools that click every "You've won a prize!!!!!" in broken Engrish just in case.

    I also suggest that if anyone has valuable data on their phone and does not have it backed up, to do so ASAP in an offline format (ie BD-R) so nothing can mess with it. All of £1.22 a disk and if Income Tax/HMRC/etc ever come knocking you can produce those payslips/invoices/P&L sheets pretty sharpish.

    Being nobbled by ransomware is not an excuse, I've checked!

    Especially annoying when the cause of data loss is SO messing with phone and "accidentally" putting a trojanized verson of Facebook Lite on there, resulting in endless suffering and a Godzillabill until I removed it. $Deity knows how much damage was done but judging by how hot the phone was getting it was likely mining as well.

    1. Kiwi
      Trollface

      Re: Re. dumbasses

      I initially downvoted you but had to switch for "Godzillabill". (El Reg, how's about a feature to cancel a vote?)

      However, what is a "(ie BD-R)"? Some throwback to the 60's? How do I fit one in my phone?

  10. Montreal Sean

    @Kiwi - BD-R

    http://lmgtfy.com/?q=Bd-r

    1. Kiwi

      Re: @Kiwi - BD-R

      @Kiwi - BD-R

      http://lmgtfy.com/?q=Bd-r

      Yes I know full well what they are, even saw a disk for them once I think. Once pulled a non-working drive from a computer, customer had never used it anyway (was causing some issue at POST IIRC).

      The point I was making is that who uses such limited mediums to back up to these days, when you phone automatically does it to this "cloud" thingy anyway?

      For that matter, as usual ( :( ), who does backups even when it is automatic?

      Site wouldn't work for me though, requires running google BSJS, that's a low I'm not interested in sinking to.

      1. Charles 9

        Re: @Kiwi - BD-R

        "The point I was making is that who uses such limited mediums to back up to these days, when you phone automatically does it to this "cloud" thingy anyway?"

        Many of us don't trust clouds to stay where they are over time, plus there's the matter of data caps, which ARE stricter for mobiles than they are for landlines (due to sheer physics).

        "For that matter, as usual ( :( ), who does backups even when it is automatic?"

        It's not on Android. I don't know of any automated mechanism where Nandroids (complete app and data backups) can be done automatically, not even with rooting (AFAIK, only Recovery Mode can do a Nandroid). If Google were smart, they'd include a mechanism for such a backup into the standard Android so that any user can maintain backups in case Murphy strikes. It's not like it's that difficult, and you can even encrypt them if you're scared about data leaks.

  11. Anonymous Coward
    Anonymous Coward

    RE. Re. BD-R

    At 50GB a disk price is still lower than tape and for most purposes (eg backing up data in a form you can get to easily) its fine. Disks will last at least 40+ years in storage.

    Of course being able to find a drive that can read them might be a problem, its hard enough to find a CD-R capable drive these days as many Bluray players simply dispense with the 780m laser to save costs.

    1. Kiwi

      Re: RE. Re. BD-R

      At 50GB a disk price is still lower than tape and for most purposes (eg backing up data in a form you can get to easily) its fine. Disks will last at least 40+ years in storage.

      We're talking home users here. The disks will survive at most 2 incidents of being slid across the carpet face-down (never had kids?), or one incident of cat+shiny. They'll not be put in hermetically sealed rooms with a dozen layers of security, they'll be left where whoknowswhat dust and other stuff can get to them, they'll be mishandled, fingerprinted, labels written with a ballpoint pen. 40 years? I'd be surprised if they last 40 minutes.

      And then there's the getting the drive hooked up to the phone, getting backup software that works, backup software that will still work next month, getting the users to do the few seconds of pressing buttons before they go to sleep at night to let some sort of backup process run for a few minutes.

      As to CD's, I still have a few older machines that may be in working order. Circa P1 or P2 machines I think. (If anyone's desperate enough to be interested in acquiring them, get in touch via El Reg)

  12. Dez Scotland

    Safe mode?

    Couldn’t the user just boot up android safe mode ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Safe mode?

      "Couldn’t the user just boot up android safe mode ?"

      I know Android security is terrible, but surely that doesn't bypass the security?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like