A new ransomware targeting Android devices has been spotted in the wild. Codenamed DoubleLocker, the ransomware abuses Android's Accessibility service and reactivates itself every time the user presses the phone's Home button.
This particular ransomware strain has connections to the infamous Svpeng Android banking trojan, one of the oldest and most "innovative" Android malware strains.
Across years, Svpeng was the first Android banking trojan to:
ESET researcher Lukas Stefanko, who analyzed DoubleLocker, says the ransomware is based on code taken from the Svpeng banking trojan, and more specifically, the code needed to lock devices and encrypt files. Svpeng's normal banking-fraud-related code has not been included in DoubleLocker, at least for now.
Compared to other Android ransomware strains, DoubleLocker is also more sophisticated. For starters, it is the first Android ransomware to abuse Android's Accessibility service to gain admin rights. This is a well-known attack vector for Android devices.
An infection chain usually happens when a user is tricked to install a malicious Flash Player app on his device. The app asks for access to the Accessibility service.
If the user grants the app this access, the Accessibility service allows the malicious app to mimic user taps. The app abuses this feature to access the Android settings and grant itself admin rights. Below is a video showing this process, along with the DoubleLocker ransom note.
After this, DoubleLocker initiates its malicious behavior, by locking the user's PIN with a random PIN code and encrypting all the files on the device's primary storage medium with the AES encryption algorithm.
DoubleLocker is currently one of the very few Android ransomware strains that actually encrypts files. Most Android ransomware just locks the user's screen.
A second peculiar behavior in DoubleLocker's modus operandi is that it reactivates itself every time the user presses his Home button. The ransomware achieves this by setting itself as the default app launcher on the device.
DoubleLocker uses this trick as a persistence mechanism, to ensure users can't bypass the lock screen. If a user bypasses the lock screen through various means, pressing the Home button restarts the ransomware, and indirectly re-locks the device.
The ransomware also doesn't send the device's PIN code or encryption key to its authors, but Stefanko says that "after the ransom is paid, the attacker can remotely reset the PIN and unlock the device."
DoubleLocker asks for 0.013 Bitcoin (around $70) and encrypts files using the .cryeye extension.
CryEye is also the name of a malware author who modified a Svpeng banking trojan variant and was selling it on hacking forums in August. Bleeping Computer has reached out to Stefanko for clarification if these two strains are related.
For users affected by DoubleLocker, ESET has the following advice:
The only viable option to clean the device of the DoubleLocker ransomware is via a factory reset.
For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work, the device needed to be in the debugging mode before the ransomware got activated.
If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.
As for the data stored on the device, there is no way to recover it, as mentioned earlier.
Image and video credits: ESET DoubleLocker report