New Android Malware Encrypts Phone and Changes PIN
The Doublelocker malware is a new strain of Android malware. Rather than finding some vulnerability in the Android OS, it ASKS the user politely, may I please install this malware on your computer. It does this by pretending to be, for example, an Adobe Flash update. Since Flash updates are so common, some people don’t think twice about installing the update. At this point, the game is over and the attacker has won.
Without going into the details of how the malware works, it tricks the user into granting the permissions that the malware needs in order to infect your device. Once it has the needed permissions, it does these two things –
First, it encrypts the data on the user’s phone.
Second, it changes the user’s security PIN, locking the user out of the encrypted phone.
Hence the term DOUBLE locker. Belt and suspenders.
ESET says that the new PIN is neither stored on the device nor transmitted to the hacker, making it impossible for either the user or security to reset the PIN and unlock the phone. They also say that if you can reset the PIN then you can delete the file with the new PIN, so it is not clear which is right. However, if you have managed to reset the PIN using one of the possible methods, deleting the PIN file is kind of irrelevant. The hacker, however, can reset the PIN remotely – assuming that the user pays the ransom. The ransom is typically $54, so from the user’s standpoint, that might be a pretty easy choice.
ESET says that you can do a factory reset to regain control of the device, but if you do that, you will lose any files that are stored on it. If you have backups, that may not be a big deal, but if you don’t have backups, well, that is a problem.
If you phone can be remotely managed, that is also a way to reset the PIN, but in this case, while your data is still there, it is also still encrypted so without paying the ransom, you still do not have access to your files.
Bottom line is that you may be able to reset the PIN and get access to the device, but getting your data back, well that is likely impossible without paying the ransom.
Information for this post came from Dark Reading.
by 