Growth in Android ransomware slows, but it's getting sneakier

While Android ransomware is still growing, it's doing so at a slower rate than at its peak in 2016. However, it is using sneaky new techniques to trick users.

New findings from researchers at ESET reveal techniques like the misuse of Android's Accessibility services being used to infect devices. The most popular attack technique though remains screen-locking followed by a ransom demand. The most frequently detected variant being the Android/Locker family.

One of the most innovative ransomware families, discovered by ESET researchers in the fall of 2017, is DoubleLocker. Built on the foundations of a previously seen banking trojan, it has two powerful tools for extorting money. DoubleLocker can change the device's PIN, locking victims out of their devices, and also encrypts the data it finds in them -- a unique combination that has not been seen previously in the Android ecosystem.

Mostly distributed as a fake Adobe Flash Player through compromised websites, once launched, the app uses its disguise to request the activation of accessibility services. If accepted by the user, DoubleLocker misuses the permissions to activate device administrator rights and sets itself as the default Home application. The ransomware can then be activated whenever the home button gets pressed.

After the ransom is paid, the attacker can remotely reset the PIN and unlock the device and supply an encryption key to unlock the files. The ransom is set to a relatively modest 0.0130 BTC and the message highlights that it must be paid within the next 24 hours. After the deadline expires, however, no further damage is done.

You can find out more and access ESET's latest whitepaper on Android ransomware on the company's blog.

Image creditbagotaj/