Detecting DoubleLocker Ransomware

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

What is DoubleLocker?

Security researchers at ESET discovered a new ransomware infecting Android phones called DoubleLocker. DoubleLocker is an exploit that encrypts data on the infected device and then changes the device PIN to a random number. Victims remain locked out of their device unless they pay a ransom to the hackers.

DoubleLocker spreads in the very same way as its banking parent does. It is distributed mostly as a fake Adobe Flash Player through compromised websites.
Once launched, the app requests activation of the malware’s accessibility service, named “Google Play Service”. After the malware obtains the accessibility permissions, it uses them to activate device administrator rights and set itself as the default Home application, in both cases without the user’s consent. [1][2]

How zIPS Helps

Zimperium’s z9 on-device mobile threat defense engine is trained in a lab using machine learning techniques. These techniques are applied at the device, network, and application threat vectors to specifically look at operating system level statistics. These statistics determine if a threat is occurring on the device and has enabled us to detect 100% of both known and previously unknown attacks. Should an attempt to exploit the device be detected, Zimperium can take action on the device to prevent the exploit from advancing.

zIPS is a mobile security app containing the z9 detection technology. zIPS monitors the entire mobile device for malicious behavior regardless of the attack entry point. The device-wide resident approach does not rely on external IDs or malware signatures. This makes zIPS immune to evasion techniques such as polymorphic malware, virtual machine awareness, download and execute techniques or binary obfuscation.

zLabs tested the recently discovered DoubleLocker malware disguised as an Adobe Flash Player update. We found zIPS detected the malware and provided user recommendations to uninstall the specific app. The screen shots below show the malicious Adobe Flash Player app asking for Bitcoin followed by zIPS detection and recommendations.

 

Additional Recommended Actions

We recommend utilizing a mobile threat defense app like zIPS to detect operating system vulnerabilities, file system changes, mobile malware and device modifications as well as network threats. You can install zIPS from Google Play or Apple App Store. After installation, please contact Zimperium for an evaluation license and administration console.

Zimperium also advises you to update your devices with the most up to date operating system and security patches available. You can read the latest security updates from Apple and Google on their respective security sites.

Contact Us

If you have addition questions on this threat or others that may be affecting your users, please contact us so we may answer your specific questions.

 

Sources:

  1. https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/
  2. https://news.drweb.com/show/?i=11381

The post Detecting DoubleLocker Ransomware appeared first on Zimperium Mobile Security Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
1987 Followers
About Zimperium
Zimperium, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors - Device, Network and Applications. Zimperium’s patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps. Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at www.zimperium.com or our official blog at https://blog.zimperium.com.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel