DoubleLocker ransomware ransom note, locked files

A new ransomware targeting Android devices has been spotted in the wild. Codenamed DoubleLocker, the ransomware abuses Android's Accessibility service and reactivates itself every time the user presses the phone's Home button.

This particular ransomware strain has connections to the infamous Svpeng Android banking trojan, one of the oldest and most "innovative" Android malware strains.

Across years, Svpeng was the first Android banking trojan to:

⇾ Steal money from people's bank accounts via SMS-based account management services [source]
⇾ Overlay fake login screens on top of legitimate banking apps [source]
⇾ Change PINs, block devices, and ask for ransom (first banking trojan to add ransomware-like features) [source, source]

DoubleLocker is based on Svpeng banking trojan code

ESET researcher Lukas Stefanko, who analyzed DoubleLocker, says the ransomware is based on code taken from the Svpeng banking trojan, and more specifically, the code needed to lock devices and encrypt files. Svpeng's normal banking-fraud-related code has not been included in DoubleLocker, at least for now.

Compared to other Android ransomware strains, DoubleLocker is also more sophisticated. For starters, it is the first Android ransomware to abuse Android's Accessibility service to gain admin rights. This is a well-known attack vector for Android devices.

An infection chain usually happens when a user is tricked to install a malicious Flash Player app on his device. The app asks for access to the Accessibility service.

If the user grants the app this access, the Accessibility service allows the malicious app to mimic user taps. The app abuses this feature to access the Android settings and grant itself admin rights. Below is a video showing this process, along with the DoubleLocker ransom note.

DoubleLocker changes lock PIN and encrypts files

After this, DoubleLocker initiates its malicious behavior, by locking the user's PIN with a random PIN code and encrypting all the files on the device's primary storage medium with the AES encryption algorithm.

DoubleLocker is currently one of the very few Android ransomware strains that actually encrypts files. Most Android ransomware just locks the user's screen.

A second peculiar behavior in DoubleLocker's modus operandi is that it reactivates itself every time the user presses his Home button. The ransomware achieves this by setting itself as the default app launcher on the device.

DoubleLocker uses this trick as a persistence mechanism, to ensure users can't bypass the lock screen. If a user bypasses the lock screen through various means, pressing the Home button restarts the ransomware, and indirectly re-locks the device.

The ransomware also doesn't send the device's PIN code or encryption key to its authors, but Stefanko says that "after the ransom is paid, the attacker can remotely reset the PIN and unlock the device."

Related to CryEye trojan?

DoubleLocker asks for 0.013 Bitcoin (around $70) and encrypts files using the .cryeye extension.

CryEye is also the name of a malware author who modified a Svpeng banking trojan variant and was selling it on hacking forums in August. Bleeping Computer has reached out to Stefanko for clarification if these two strains are related.

Forum ad for CryEye banking trojan

For users affected by DoubleLocker, ESET has the following advice:

The only viable option to clean the device of the DoubleLocker ransomware is via a factory reset.

For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work, the device needed to be in the debugging mode before the ransomware got activated.

If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.

As for the data stored on the device, there is no way to recover it, as mentioned earlier.

Image and video credits: ESET DoubleLocker report