DoubleLocker ransomware is a new Android threat, which as the name suggests, uses two methods to lock the device and prevent victims from accessing their files and using their device.
As with Windows ransomware variants, DoubleLocker encrypts files on the device to prevent them from being accessed. DoubleLocker ransomware uses a powerful AES encryption algorithm to encrypt stored data, changing files extensions to .cryeye
While new ransomware variants sometimes have a poorly developed encryption process with flaws that allow decryptors to be developed, with DoubleLocker ransomware victims are out of luck.
While it is possible for victims to recover their files from backups, first they must contend with the second lock on the device. Rather than combine the encryption with a screen locker, DoubleLocker ransomware changes the PIN on the device. Without the PIN, the device cannot be unlocked.
Researchers at ESET who first detected this new ransomware variant report that the new PIN is a randomly generated number, which is not stored on the device and neither is it transmitted to the attacker’s C&C. The developers allegedly have the ability to remotely delete the PIN lock and supply a valid key to decrypt data.
The ransom demand is much lower than is typical for Windows ransomware variants, which reflects the smaller quantity of data users store on their smartphones. The ransom demand is set at 0.0130 Bitcoin – around $54. The payment must be made within 24 hours of infection, otherwise the attackers claim the device will be permanently locked. The malware is set as the default home app on the infected device, which displays the ransom note. The device will be permanently locked, so the attackers claim, if any attempts are made to block or remove DoubleLocker.
Researchers at ESET have analyzed DoubleLocker ransomware and report that it is based on an existing Android banking Trojan called Android.BankBot.211.origin, although the ransomware variant does not have the functionality to steal banking credentials from the user’s device.
While many Android ransomware variants are installed via bogus or compromised applications, especially those available through unofficial app stores, DoubleLocker is spread via fake Flash updates on compromised websites.
Even though this ransomware variant is particularly advanced, it is possible to recover files if they have been backed up prior to infection. The device can also be recovered by performing a factory reset. If no backup exists, and the ransom is not paid, files will be lost unless the device has been rooted and debugging mode has been switched on prior to infection.
This new threat shows just how important it is to backup files stored on mobile devices, just as it is with those on your PC or Mac and to think before downloading any web content or software update.