A new ransomware has surfaced in the wild that’s targeting Android devices dubbed as DoubleLocker.

The ransomware performs a two-way action to lock the device by encrypting all files and changes the PIN. DoubleLocker is distributed as a fake Adobe Flash updated while compromised websites are spreading it.

Once downloaded, the fake update will request activation for Google Play Services because it needs to exploit the devices accessibility services. DoubleLocker will then start to exploit permissions by retrieving Windows content which enables advanced web accessibility for installation of scripts and monitoring the text that the victim types.

Once the permissions are granted, the ransomware is then installed as the default home app which means that when the user goes to their home page next, the ransom message will appear on the screen. The ransomware encrypts data by using the AES encryption algorithm through “.cryeye” extension which is very effective. Without a decryption key it is impossible to unlock the files.

The PIN is changed to a random number that the attackers do not store which means that recovering access to the device is not possible. The PIN is reset after 24 hours which is also the deadline that the attackers provide. The attackers demand 0.0130 bitcoins (about $73) which is a lower amount from previous ransomware attacks.

The only other way for users to regain access to their device is to factory reset the device which does not backup any data while permanently deleting it.

Binary Defense recommends users avoid installing apps and software from third-party websites.