A new Android phone threat is out in the wild!

DoubleLocker is based on code from banking trojan Android.BankBot.211.origin which forces users to grant it access to the smartphone’s accessibility service.  Once launched (typically from a fake Adobe Flash Player app on compromised website), it will try to obtain accessibility permissions.  It then uses the accessibility permissions to activate device admin rights and set itself up as the home application on the phone.

The ransomware uses two techniques to get its victims to pay up:

  1. It changes the device PIN to a new credential which isn’t stored on the phone or sent anywhere. The PIN is only reset by the attacker following payment of the ransom.
  2. It encrypts all files from the device’s primary storage directory, using the AES algorithm and the “.cryeye” extension.

Note: There’s no way to recover the files without the encryption key and must be paid within the 24-hour deadline for 0.0130 BTC ($54).

For those not wanting to pay up, the only option for to start a factory reset, although all your stored data will also be lost.