This particular ransomware strain has connections to the infamous Svpeng Android banking trojan, one of the oldest and most "innovative" Android malware strains. While it now doesn't have the modules to steal users' banking credentials, the functionality could be easily added in the future. The ransomware can totally lock down the victim's phone, encrypting all data and changing the infected phone's PIN. "Thanks to using the accessibility service, the user doesn't know that they launched malware by hitting Home", says Lukáš Štefanko, malware researcher at ESET. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom...
Once downloaded onto the device, the fake Adobe Flash app asks for activation of "Google Play Services" exploiting a series of permissions via accessibility services, a function created to help people with disabilities use their phone. The ransomware requests the victim to grant accessibility permissions which it uses to activate the device administrator rights and set itself as the default home application. The ransomware achieves this by setting itself as the default app launcher on the device. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again.
DoubleLocker uses this trick as a persistence mechanism, to ensure users can't bypass the lock screen.
Once DoubleLocker changes a victim's PIN code, it's impossible to gain access to the device - the number is a random selection of digits that aren't saved anywhere. However, the new virus is not interested in financial information on the device and encrypts the data and can change the PIN code of the smartphone or tablet. The changed PIN is almost impossible for either the victim or security experts to retrieve as the hackers operating DoubleLocker neither store the altered PIN nor send it out. The hackers can remotely reset the PIN when you pay the ransom.
Second, DoubleLocker encrypts all files from the device's primary storage directory. "It utilizes the AES encryption algorithm, appending the filename extension ".cryeye".
Users with DoubleLocker-infected devices have 24 hours to pay 0.0130 Bitcoin (about $73.38 at the time of this writing) to un-encrypt their data.
A deadline of 24 hours for paying the ransom is issued by the attackers, who claim "Without [the software], you will never be able to get your original files back". To prevent unwanted removal of the "software", the crooks even recommend disabling the user's antivirus software.
For devices that are not rooted and that don't have a mobile device management solution installed capable of resetting the PIN, the only way to remove the PIN lock screen is via a factory reset. If this is the case, the user can remove the system file where the PIN is stored, which allows the user to manually reset the device. For this to work, the device needs to have debugging enabled (Settings - Developer options - USB Debugging).
The DoubleLocker hack is a threat to any Android device; it's particularly worrying since it doesn't require a "rooted" phone that gives extra access for the hacker to run its own code, but the effect is severe - locking the user completely out of their own device.