In a recent blog by Microsoft, the company announced that its security platform for Android, Microsoft Defender for Endpoint, has detected a new, a deadly strain of malware which could potentially spell trouble for Android phone users. According to the Microsoft 365 Defender research team, it is “a piece of a particularly sophisticated Android ransomware with novel techniques and behaviour, exemplifying the rapid evolution of mobile threats that we have also observed on other platforms”.
Called the AndroidOS/MalLocker.B, Microsoft stated that this ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games or video players.
The discovery shows a worrying trend of rising ransomware incidents, with a reported increase of 50% in global ransomware attacks in the third quarter of 2020 compared to the first half.
However, like previous strains, the MalLocker.B doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do much of anything.
The difference now is that past strains only used the “SYSTEM_ALERT_WINDOW” function on Android, meaning, it only draws over other apps so that the user cannot access any other applications and this compromise can be easily solved.
“Other ransomware families use infinite loops of drawing non-system windows, but in-between drawing and redrawing, it’s possible for users to go to settings and uninstall the offending app”, added Microsoft. Also, some strains of ransomware abuse accessibility features and services, a method that could easily alarm users because it warns users that the app would be able to monitor their activity.
In the MalLocker.B ransomware strain, a new and more sophisticated scheme is utilised as it has evolved to bypass past security features. According to Microsoft, the malware surfaces its ransom note by using a series of techniques that take advantage of the following components on Android:
The “call” notification, among several categories of notifications that Android supports, which requires immediate user attention.
The “onUserLeaveHint()” call-back method of the Android Activity (i.e., the typical GUI screen the user sees) is shown as part of the activity lifecycle when the activity is about to go into the background as a result of user choice, for example, when the user presses the home key.
This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing an infinite redraw or posing as a system window, according to Microsoft. Additionally, as this family of malware is still evolving, Microsoft also found out that it uses machine-learning and in this case, Frozen TinyML model. This ensures that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable, increasing the chances of the user paying for the ransom.
“The library that uses tinyML is not yet wired to the malware’s functionalities, but its presence in the malware code indicates the intention to do so in future variants. We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats”, concluded Microsoft.