Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Ransomware Abuses Accessibility Services

A newly discovered ransomware family targeting Android devices is abusing the platform’s accessibility services, ESET warns.

A newly discovered ransomware family targeting Android devices is abusing the platform’s accessibility services, ESET warns.

Dubbed DoubleLocker, this innovative Android malware doesn’t merely encrypt users’ data, but also locks the infected devices down, security researchers from ESET say.

The ransomware is based on the source code of BankBot banking Trojan, which is already known for misusing accessibility services on Android. However, the new malware family lacks the functions related to harvesting users’ banking credentials and instead uses two other tools for extorting money from its victims.

BankBot had its source code leaked online in late 2016, which already spawned numerous banking Trojan variations. However, DoubleLocker is the first Android ransomware to leverage the leaked code.

DoubleLocker mainly spreads as a fake Adobe Flash Player application downloadable through compromised websites. Once installed on the victim’s device, it requests activation of the accessibility service called “Google Play Service,” which allows it to gain administrator rights and set itself as the default Home application, without the user’s consent.

The malware also changes the device’s PIN code, thus blocking the victim out. The new PIN is a randomly generated value that isn’t stored on the device or sent out, thus preventing the user from recovering it. The attackers, however, have the possibility to remotely reset the PIN and unlock the device.

“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launched malware by hitting Home,” explains ESET Malware Researcher Lukáš Štefanko.

Next, the ransomware encrypts all of the files located in the device’s primary storage directory. The malware uses the AES encryption algorithm for this operation and appends the .cryeye extension to the affected files.

The ransom note claims that the original files have been deleted and that users should pay the ransom within 24 hours. The malware asks for a 0.0130 Bitcoin ransom (around $50) and displays a QR code that should make it easier for victims to pay.

“DoubleLocker misuses Android accessibility services, which is a popular trick among cybercriminals. Its payload can change the device’s PIN, preventing the victim from accessing their device and encrypts the victim’s data. Such a combination hasn’t been seen yet in the Android ecosystem,” Štefanko says.

The security researcher also points out that, although the ransomware lacks the credential harvesting capabilities BankBot has, such functionality could be easily added to it.

“Given its banking malware roots, DoubleLocker may well be turned into what can be called ransom-bankers. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom… Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017,” warns Štefanko.

RelatedNew “Red Alert” Android Banking Trojan Emerges

RelatedAndroid Malware Found on Google Play Abuses Accessibility Service

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.