Dubbed “DoubleLocker,” this new strain targets Android devices. It uses and abuses the platform’s Accessibility Service, reactivating itself every time the user presses the phone’s “Home” button.
Initial forensic analysis of the code base reveals this new threat to be based on Svpeng, which is a nasty form of malware that has a rather infamous reputation among Android users. It is one of the best-known banking trojans on the platform, used to steal money from people’s bank accounts, change PINs, brick devices and demand ransoms to return them to operability.
Although DoubleLocker does not contain Svpeng’s banking hack features, it is a very advanced, highly sophisticated piece of code.
As with so many other malicious programs, it gains an initial foothold on the user’s machine by disguising itself as some other, perfectly legitimate program (most often, Flash Player). Once installed, if the user grants the app access, Android’s Accessibility service allows the app to mimic user screen taps and swipes, allowing it to navigate around on the user’s phone.
It immediately locks the user’s PIN with a ransom PIN code and encrypts all files on the device.
This is the most significant development, because previous to finding DoubleLocker in the wild, most other Android ransomware worked by simply locking the user’s phone. This one takes cues from PC-based ransomware and takes the added step of encrypting the files themselves.
Another intriguing difference is that while most ransomware is configured to send the user an unlock code once the ransom is paid, no such code is sent to a user infected by DoubleLocker. Instead, the hackers unlock the phone remotely, upon receiving payment.
For users impacted by DoubleLocker, the following advice has been offered by ESET:
“The only viable option to clean the device of the DoubleLocker ransomware is via a factory reset.
For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work the device needed to be in the debugging mode before the ransomware got activated.
If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device admin rights for the malware and uninstall it. In some cases, a reboot is needed. As for data stored on the device, there is no way to recover it, as mentioned earlier.”