Thanks to using the accessibility service, the user doesn't know that they launch malware by hitting Home," Lukáš Štefanko, ESET malware researcher who discovered DoubleLocker, said in a blog.
The ransomware changes the infected device's PIN, blocking the victim's access to the device. The changed PIN is nearly impossible for either the victim or security experts to retrieve as the hackers operating DoubleLocker neither store the altered PIN nor send it out. The ransomware also encrypts all data stored in the device using the AES encryption algorithm. "The encryption is implemented properly, which means that, unfortunately, there is no way to recover the files without receiving the encryption key from the attackers," Štefanko said.
DoubleLocker is based on a banking trojan and could become a "ransom-banker", which is essentially a "two-stage malware", that tries to wipe out victims' bank or PayPal accounts, locking the device and data down completely. In other words, victims would be unable to access their data, including bank credentials unless a ransom payment is made.
'We are digging our own grave' – Russian Dark Web criminals on the dangers of selling ransomware
"Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017," Štefanko said.
The hackers operating DoubleLocker are demanding a ransom of 0.0130 bitcoins ($54, £40), which the victim is required to pay up within 24 hours. However, if the ransom payment isn't made within 24 hours, the data is not deleted and instead remains encrypted.
Apart from paying the ransom and obtaining the decryption key from the hackers, the only way victims can clean out the infected device of DoubleLocker is to perform a factory reset.
"DoubleLocker serves as just another reason for mobile users to have a quality security solution installed, and to back up their data on a regular basis," Štefanko said.
The hackers operating DoubleLocker are demanding a ransom of 0.0130 bitcoins, which the victim is required to pay up within 24 hours.