DoubleLocker ransomware - a new threat to Android users

DoubleLocker infiltrates Android devices pretending to be Flash Player update

Malware researchers have just discovered a new version of Android virus that might work as a banking trojan and mobile ransomware. Known as DoubleLocker, malware, seems to be related to the Svpeng banking trojan. However, this malicious program seems to be more sophisticated.^[1]

Authors of the virus did not choose unique infiltration strategy. They use a fake Flash Player update and trick users into downloading it themselves. The obfuscated update might be available on various compromised websites. Thus, it’s another reminder to stay away from suspicious app stores.

According to the ESET researcher Lukas Stefanko,^[2] DoubleLocker is create based on Svpeng banking trojan.^[3] However, the recent research data claims that it does not have a banking-fraud related code. Though, this feature might be updated soon. Then this Android malware might be used for swindling the money from victim’s bank or PayPal accounts.

Currently, it works as a ransomware virus that also locks targeted device. Victims are asked to pay 0.013 in order to get access to the device and restore encrypted files. However, no one can guarantee that this deal with work.

DoubleLocker misuses Android accessibility services

As soon as the Android mobile malware^[4] is installed on the device, it asks to activate “Google Play Service.” Undoubtedly, users give this permission without realizing that they are letting malware to get administrative rights of their phones.

On the device, it sets itself as default app and works as a launcher. It means that every time users click the home button, ransomware is activated. Malware is designed to lock the phone and replace its PIN code. Not only a victim loses access to its phone, but his or her files are also being encrypted with strong AES encryption algorithm and corrupted with .cryeye file extension.

Once these hazardous tasks are completed, DoubleLocker delivers a ransom note where victims are told to pay the ransom if they want to use their phone ever again. Criminals provide detailed instructions and promise to restore the files as soon as they receive the ransom.

Removal of Android virus might require performing factory reset

Of course, ransomware prevention is the most important task. But what should you do if you failed – to pay or not to pay? Security experts agree that paying the ransom is never an option. Thus, after the attack, you should eliminate DoubleLocker immediately. However, this process might not be simple.

According to the researcher, victims with non-rooted devices have only one possibility to unlock the device – factory reset. Meanwhile, such harsh method is not needed for routed devices owners. The can reset PIN using Android Debug Bridge (ADB) tool.^[5] Though, once you get access to the infected phone, you should get rid of malware with a professional mobile-security program.

Unfortunately, there’s no way to recover encrypted files. However, if you have backups stored in the cloud, they should remain untouched by ransomware.