DoubleLocker¶
The first Android ransomware to combine file encryption with device PIN change. Discovered by ESET in October 2017, DoubleLocker was built on the Svpeng banking trojan codebase but stripped of banking fraud functionality. It was also the first Android ransomware to abuse Accessibility Services, using them to activate Device Administrator and set itself as the default Home application.
Overview¶
| Property | Value |
|---|---|
| First Seen | October 2017 |
| Type | Ransomware (dual-mechanism: file encryption + PIN change) |
| Attribution | Unknown (Svpeng codebase) |
| Aliases | Android/DoubleLocker.A (ESET) |
Distribution¶
Distributed as a fake Adobe Flash Player update through compromised websites. Required manual installation.
Capabilities¶
| Capability | Implementation |
|---|---|
| File encryption | AES encryption of all user files, appended .cryeye extension |
| PIN change | Changed device PIN to a random value unknown to both victim and attacker |
| Accessibility abuse | First ransomware to use Accessibility for activation |
| Home app hijack | Set itself as default Home application, re-triggered on every Home button press |
| Device Admin | Activated Device Administrator via Accessibility |
| Ransom demand | 0.0130 BTC (~$54 at the time) within 24 hours |
Attack Flow¶
- Victim installs fake Adobe Flash Player
- Malware requests activation of accessibility service named "Google Play Service"
- Via Accessibility, activates Device Administrator privileges
- Sets itself as default Home application
- Encrypts all files with AES (
.cryeyeextension) - Changes device PIN to random value
- Displays ransom note on every Home button press
Significance¶
ESET noted that DoubleLocker could be upgraded to a "ransom-banker" combining ransomware and banking trojan functionality, since the underlying Svpeng codebase already had credential-theft capabilities. This predicted the later emergence of families like LokiBot that combined both functions.