Without root, you will not delete this virus, which changes the PIN and encrypts the data

Experts from ESET warn against a new threat encrypting data and demanding a ransom for unlocking them. DoubleLocker, because of it, for the first time in history changes the PIN number at the same time and encrypts data on Android phones.

Lukáš Štefanko, a malware expert from ESET, was the first to discover the DoubleLocker threat targeting Android phones. This ransomware can change not only the device's PIN, preventing access to it, and also to encrypt valuable data, demand a ransom for unlocking them. DoubleLocker is distributed via websites that provide a fake version of the Adobe Flash Player application. The virus requests the owner of the phone to activate the accessibility service called "Google Play Service", and then - without the user's consent - uses the administrator's rights, setting himself as the default application. As ESET experts point out, this is a trick that makes the threat run with each press of the "Home" button.

- The threat uses a very strong encryption method (AES algorithm), so it is not possible to recover files without using the encryption key obtained earlier from the DoubleLock developers. However, I advise against paying any funds, there is no guarantee that you will get the appropriate key after paying the ransom or that the key will be correct - explains Kamil Sadkowski, a threat analyst from ESET.

Encrypted files with a ransom demand message.

If your phone has been a victim of DoubleLock, most likely you will not be able to recover your data. Unless, as Kamil Sadkowski from ESET points out, we have a backup copy of the data. In the opinion of an expert, there is a way to regain access to a blocked phone. It is possible with the help of the so-called root, or administrative account on your smartphone, which allows you to manage, among others system files. You should then connect to the device via a USB cable (ADB interface) and delete the system file in which the PIN code is stored. This operation will unlock the screen and thus the device. Then, when working in safe mode, the user can deactivate administrator privileges assigned to malicious software and uninstall them. To completely get rid of malicious software, you should restore it to the factory settings as soon as you regain access to the device. In some cases it is necessary to restart the device.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.