Mobile users beware, the DoubleLocker Android ransomware can encrypt victim devices and change the associated PIN codes. At the moment a global attack wave is targeting mobile users using different delivery tactics.
DoubleLocker Android Ransomware Detected
Researchers from leading anti-virus companies reported that a new threat has been made to target Android devices. Hackers have made the DoubleLocker Android ransomware which is specifically aimed at compromising the victim devices, encrypting the storage with a strong cipher and changing the PIN security codes.
The route of infection seems to be fake Adobe Flash application instances that ask the targets to enable a “Google Play Services” instance. This is a typical case of a social engineering trick as Adobe Flash is no longer part of the core Android system. The notifications can be created by one of the following ways:
- Counterfeit Apps ‒ The hackers can create fake apps which can easily be uploaded to the official Google Play Store repository or other sources.
- Websites and Redirects ‒ Malicious code in hacker-created sites or redirects can trigger the infection.
The current attack wave relies mainly on those two methods, in the future we may see other delivery strategies being employed.
DoubleLocker Android Ransomware Capabilities
One of the first actions that the virus invokes is the exploitation of permissions, a process which is done via the accessibility options. This is a series of features built into thhe Android operating system which are made for people with disabilities. When the hacker has access to this subsystem they can retrieve the content from the running applications and turn on enhanced web features. This is used to install malware scripts and spy on the target’s activities.
As a result the DoubleLocker Android ransomware is capable of spying on the victim users in real time and steal their files. The malware is also installed as the default home application which means that once the device is activated the ransom note will be shown to them. At the same time the ransomware starts to encrypt all found files using the advanced AES cipher. The same mechanism as the desktop variants are used, all compromised files are renamed using the .cryeye extension.
During the infection phase the PIN code is also changed to a random value which prevents the owners from recovering their devices. At the moment there is no effective way to recover the users without restoring to a backup. Some rooted devices can be restore if they were placed in debug mode prior to the ransomware installation.
The sign of the DoubleLocker Android ransomware infection is its note which reads the following:
Current state information
Your personal documents and files on this devices have just been crypted. The original files have been deleted and will only be recovered by following the steps described below. The encryption was done with a unique generated encryption key (using AES-256)
The captured samples blackmail the victims for a fee of 0.0130 Bitcoins which is the equivalent of about $73. As always we recommend that the users do not pay the hackers but attempt to recover their data from a generated backup file.