A new breed of Android ransomware has been discovered that hits victims with a double whammy. DoubleLocker not only encrypts data as all ransomware does, it also changes the PIN on the target device.
DoubleLocker was discovered by security researchers at ESET. They say that the ransomware abuses Android accessibility settings, and is the first to use a double-lock approach. Based on previously released banking malware, it is though that a test version of DoubleLocker could have been in the wild since as early as May.
Despite the banking roots, the ransomware is focused purely on extracting money from victims as a ransom — it is not capable of accessing banking details stored on a phone or tablet. DoubleLocker spreads as a fake version of Adobe Flash Player, and it uses a clever trick to ensure that it gets activated — enabling accessibility services and then setting itself as the default home app.
Lukáš Štefanko, the ESET malware researcher who discovered DoubleLocker, explains:
Setting itself as a default home app — a launcher — is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home.
Once active, DoubleLocker will first change the device’s PIN to a random number. It is not stored on the target device, so there is no way to determine what it is. This is the first incentive for a victim to pay a ransom, and once this has been paid, the PIN can be remotely reset. Encrypting data using AES encryption algorithm, appending the extension “.cryeye” is the second incentive.