Microsoft has discovered a sophisticated mobile Android ransomware with novel techniques and behaviour, evading many available protections and registering a low detection rate against security solutions.
Called AndroidOS/MalLocker.B, the mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop.
“This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players,” Dinesh Venkatesan from Microsoft Defender Research team said in a security blog post on Thursday.
As with most Android ransomware, this new threat doesn’t actually block access to files by encrypting them.
Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else.
“The said screen is the ransom note, which contains threats and instructions to pay the ransom,” Microsoft said.
This new mobile ransomware variant is an important discovery because the malware exhibits behaviours that have not been seen before and could open doors for other malware to follow.
“It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals,” Microsoft researchers explained.
In the past, Android ransomware used a special permission called “SYSTEM_ALERT_WINDOW” to display their ransom note.
Apps that have this permission can draw a window that belongs to the system group and can’t be dismissed.
No matter what button is pressed, the window stays on top of all other windows.
“The notification was intended to be used for system alerts or errors, but Android threats misused it to force the attacker-controlled UI to fully occupy the screen, blocking access to the device. Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device,” Microsoft explained.
To adapt, Android malware evolved to misusing other features, but these aren’t as effective.
“The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we’ve seen before”.
Microsoft Defender for Endpoint on Android, now generally available, extends industry-leading endpoint protection to Android.
The company said that it detects this ransomware (AndroidOS/MalLocker.B), as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics, in addition to content-based detection.