The infection mechanism works well – which is crucial for determining how big of a deal a piece of malware is.
Cybercriminals have developed an innovative ransomware that is based on the foundations of a particular banking Trojan to misuse Android accessibility services.
Discovered by ESET malware researcher, Lukáš Štefanko, DoubleLocker, has two powerful tools for extorting money from its victims, and includes a combination that has not been seen previously in the Android ecosystem.
WeLiveSecurity sat down with Lukáš to find out more details about the discovery, and to get his view on trends in Android ransomware.
Based on the article about DoubleLocker, it seems that this malware is rather innovative. Do you agree?
Well, DoubleLocker is the first known Android ransomware that both encrypts the user’s files and locks the device by changing its PIN. And on top of this, it’s also the first known ransomware spread by misusing Android accessibility services.
For these two reasons, I think DoubleLocker can be called innovative.
OK, but how big of a deal is it in practice?
The samples we analyzed have some bugs but overall, the malware works as intended. Also the infection mechanism works well – which is crucial for determining how big of a deal a piece of malware is.
Also important is that DoubleLocker is derived from an established banking malware family. Although its creators stripped it of the money-stealing capability, we can expect to face malware that will attempt to steal your money directly from your bank account and then try to make another profit from you via ransom. We can call it a ransom-banker.
Sounds like quite a nightmare. Hopefully it will not materialize anytime soon.
I’ve got bad news here. We have already seen such malware. Back in May, 2017 we spotted a sample of Android banking malware capable of encrypting files and requesting ransom. Apparently, it was just a test. However, it clearly shows that the bad guys take every opportunity to improve their tools and up their game.
You mentioned Android accessibility services as a means for infecting devices with DoubleLocker. Does that make DoubleLocker any more dangerous?
Accessibility service is a feature of the Android operating system aimed at helping users with disabilities which, unfortunately, poses a huge security risk. It allows applications to perform actions like clicking on buttons in dialog boxes and system menus on the users’ behalf, and, in the case of malware, often without their knowledge.
Which brings us back to your question: misusing accessibility services is a dirty trick that de facto takes over the victim’s device. So yes, it does make DoubleLocker more dangerous – even without the functionality of stealing money from victims’ accounts.
After the bad guys add the banking functionality – and I personally have no doubts they will – the resulting ransom-banker may become a true nightmare.
Yes, ransom-bankers, as you call this type of new malware, seem to be capable of doing more harm than ransomware or banking malware alone. However, why should they pose a greater risk than backdoors that allow for the downloading of banking malware, ransomware or both, or whatever else the bad guys want?
Well, that’s a good point: with your device a part of a botnet, you can encounter any malware at any given moment. However, the criminals who control the botnets often prefer a steady income from, say, advertising fraud – I mean fake clicks by the controlled devices. In another words, the botnet herders only rarely resort to actions that would destroy their cash cows. For example, spreading a PIN locker across the botnet would force the victims to make a factory reset, cleaning the device from any infection and thus escaping from the botnet.
As a result, devices in botnets are relatively safe from destructive actions, in particular from ransomware.
Now back to your question: while botnets are a great tool for long-term gains from cybercrime, I fear that ransom-bankers could become a great tool for much more damaging, big bang-like, cybercrime.