DoubleLocker targets Android OS, masquerades as a Flash Player app, and shares similarities with the Svpeng trojan. When a victim downloads and installs the app, a request to access the Accessibility service on the device is displayed. If the victim agrees and completes the installation process, DoubleLocker grants itself administrative rights, locks the device with a random PIN code, and encrypts all of the files stored on the device's primary storage directory using AES encryption, appending .cryeye to the names of the encrypted files. In addition, DoubleLocker sets itself as the default app launcher on the device and reactivates itself every time the victim presses the device's "home button" to maintain persistence and prevent victims from bypassing the lock screen. After DoubleLocker encrypts the device's files, it displays a ransom note on the screen. DoubleLocker demands a ransom payment of 0.013 Bitcoin.
- ESET provides more information on DoubleLocker here.
- The NJCCIC is not currently aware of any free decryption tool available for DoubleLocker. However, the ransomware can be removed from the affected device by performing a factory reset. This action will only rid the device of the malware and will not decrypt the files.