According to researchers at ESET, who discovered DoubleLocker, the ransomware is distributed via compromised websites and poses as a fake Adobe Flash Player app. The ransomware requests the victim to grant accessibility permissions which it uses to activate the device administrator rights and set itself as the default home application. This allows the ransomware to reactivate itself every time a user clicks on the home button.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home,” Lukáš Štefanko, ESET malware researcher who discovered DoubleLocker, said in a blog.
The ransomware changes the infected device’s PIN, blocking the victim’s access to the device. The changed PIN is nearly impossible for either the victim or security experts to retrieve as the hackers operating DoubleLocker neither store the altered PIN nor send it out. The ransomware also encrypts all data stored in the device using the AES encryption algorithm. “The encryption is implemented properly, which means that, unfortunately, there is no way to recover the files without receiving the encryption key from the attackers,” Štefanko said.
DoubleLocker is based on a banking trojan and could become a “ransom-banker”, which is essentially a “two-stage malware”, that tries to wipe out victims’ bank or PayPal accounts, locking the device and data down completely. In other words, victims would be unable to access their data, including bank credentials unless a ransom payment is made.
“Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017,” Štefanko said.
The hackers operating DoubleLocker are demanding a ransom of 0.0130 bitcoins ($54, £40), which the victim is required to pay up within 24 hours. However, if the ransom payment isn’t made within 24 hours, the data is not deleted and instead remains encrypted.
Apart from paying the ransom and obtaining the decryption key from the hackers, the only way victims can clean out the infected device of DoubleLocker is to perform a factory reset.
“DoubleLocker serves as just another reason for mobile users to have a quality security solution installed, and to back up their data on a regular basis,” Štefanko said.