It has been reported that a new ransomware called DoubleLocker targeting Android devices. The malware spreads through counterfeit applications (mostly fake Adobe Flash Player) via compromised websites. It abuses Android accessibility services to elevate privileges on the victim system. The malware changes the devices PIN and encrypts all the files on the device’s primary storage using AES encryption algorithm and renames the file to have the extension ‘.cryeye’ and demands ransom to decrypt them.
Malware Activities
When it is launched the app requests for the accessibility service permissions. Once it gains access to the permissions, it sets itself as the default Home screen application so that it can be activated whenever the user presses the Home key on their Android phone.
The malware once activated, changes the device’s PIN to a random value, thus locking the user out of their phone. The PIN is neither stored on the device nor sent to any server. It can only be reset remotely by the attacker once the ransom is paid.
The malware encrypts all the files on the device’s primary storage using AES encryption algorithm and renames the file to have the extension ‘.cryeye’. The user is then shown a screen in which the attacker demands a ransom for decrypting the user’s file. The ransom is 0.013 Bitcoins and it must be paid within 24 hours. If the ransom is not paid, the data would remain encrypted and would not be deleted.
Recovery of the encrypted files are not possible as of now, the safest way to remove the malware is to factory-reset. However, the PIN lock can be bypassed on “ROOT”ed android devices with Android Debugging mode enabled, via Android Debug Bridge and removing the related key files [generally /data/system/password.key].
Symantec Mobile Insight is detecting this Threat as : Trojan.Fakebank.B
Note: Data available from https://www.virustotal.com
With the explosive growth in the use of mobile devices these days, it was just a matter of time before the bad guys set their targets on this sector of technology. Last year we saw a huge increase in mobile malware. A large part of this growth of mobile malware is targeting the Android OS. The purpose of this Best Practice is to help users stay safe from the threats that are targeting the mobile user.
As per US-CERT.gov, Smartphones, or mobile phones with advanced capabilities like those of personal computers (PCs), are appearing in more people’s pockets, purses, and briefcases. Smartphones’ popularity and relatively lax security have made them attractive targets for attackers. According to a report published, smartphones recently outsold PCs, and attackers have been exploiting this expanding market by using old techniques along with new ones.
As per the Latest Symantec's Internet Security Threat Report (ISTR), Mobile malware continues to be financially motivated, using tried and trusted monetization methods, such as sending premium text messages, advertisement click fraud, and ransomware.
When analyzing the malware types detected, the top two detections — Android.Malapp and Android.MalDownloader—account for more than half of total detections for the year. These are generic detections used to detect a wide variety of individual but unclassified threats.
Malware that is used to spread ransomware and malware used in attempts to steal victims’ banking information also featured in the top 20 detections for 2016.
The first interesting detection in the top 10 is Android.Opfake in third place. Opfake detects malware that sends premium text messages, which continue to be a big earner for mobile threat attackers.
Must do
- Be careful when clicking on advertisements for free software. Many times these ads may direct you to a fake Android Market that hosts malicious versions of known applications.
- Avoid opening unsolicited text messages, attackers can use text messages to spread malware, phishing scams and other threats among mobile devices.
- Don’t click on links sent from unknown sources, this includes email, messaging, Facebook, Twitter and other Social websites.
- Be suspicious of applications that ask for root privileges.
- Make sure you have the latest mobile OS version, and all software is up-to-date. Vendors are always releasing new versions or updates of their software to protect from known vulnerabilities and flaws in their programs.
- Use caution when enabling Bluetooth connections. The Bluetooth setting is typically on by default, and should be disabled or paired with a device. If not, the phone will look for other Bluetooth-enabled devices to connect to, and could result in malware being loaded onto the device.
Should do
- If possible, use security software on your smartphone.
- For the Android OS, Use applications like Norton Mobile Security, or Norton Mobile Security Lite to protect your device, and the Norton Snap QR Code Reader to protect you from dangerous QR codes.
- Use caution when scanning QR codes, only scan codes from a reputable source.
- For IOS, use the Norton Snap QR Code Reader to protect you from dangerous QR codes.
- Encrypt the data on your mobile device. If you use your device for business, or just want to protect your personal data, encrypting data is a must. If you lose your device and the SIM card stolen, the bandit cannot access the data if the latest encryption technology is loaded on the device.
- Users should password protect their devices, this can help protect your sensitive data when your device is lost, stolen or hacked.
Best Practices
- Do not download and install applications from untrusted sources. Install applications downloaded from reputed application market only.
- Make a practice of taking regular backup of android device.
- Prior to downloading / installing apps on android devices (even from Google Play Store):
- Alwars review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
- Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
- Do not check "Untrusted Sources" checkbox to install side loaded apps.
- Exercise caution while visiting trusted/untrusted sites for clicking links.
- Install and maintain updated antivirus solution on android devices.Scan the suspected device with antivirus solutions to detect and clean infections.
- Enable 2-factor authentication for your Google/other accounts.
- Install Android updates and patches as and when available from Android device vendors
- Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS
- Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
More information
A Window Into Mobile Device Security - http://www.symantec.com/content/en/us/enterprise/white_papers/b-mobile-device-security_WP.en-us.pdf
References