Microsoft warns of ‘continuously evolving’ Android ransomware

This sophisticated strain abuses the incoming call notification to block access to a device

Microsoft has lifted the lid on a sophisticated ransomware family that has been spotted using a machine learning component embedded in its code and has so far managed to evade most security tools.

Like most Android ransomware strains, this particular threat, called AndroidOS/MalLocker.B, doesn’t encrypt users files. Instead, it blocks users’ access to their devices by displaying a full-screen notification that spoofs a message from authorities and demands payment in exchange for its removal.

Researchers say they are especially alarmed by the sophisticated techniques the malware uses to avoid detection, as well as the Android features it abuses to show a ransomware note that cannot be dismissed. This is something many Android ransomware strains have struggled to accomplish recently.

“The mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop,” the Microsoft Defender Research Team said.

“The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.”

Android ransomware in the past often targeted the ‘SYSTEM_ALERT_WINDOW’ permission to show ransom notes, which couldn’t be dismissed by the user as this permission was normally reserved for things like system alerts or error messages. The mechanism was exploited to make the message fully occupy the screen, blocking access to the device, although this attack surface was practically eliminated following system tweaks by Google.

Android malware has since attempted to adapt by misusing other features, but these have been largely ineffective. Attempts to exploit accessibility features often alerted users to the presence of malware as it requires navigating through several menu screens in order to use these services. Other families used infinite loops of drawing non-system windows, but it’s possible for users to go to settings and uninstall the app in between drawing and redrawing.

However, this new malware family has overcome these barriers by abusing the “call” notification – which fills the screen with a notice that you’re receiving an incoming call – to show a full-screen message that cannot be dismissed.

This particular strain has been through several stages of evolution to get to this current form, and Microsoft’s research team has previously seen stains that abuse accessibility settings, as well as general notification services. The expectation is that this family will churn out new variants with even more sophisticated techniques in future.

Alarmingly, its code is embedded with a TinyML machine learning module that’s designed to make sure images fit the screen without distortion. This would ensure that a ransom note would appear more believable, and less contrived.

As of now, the library using TinyML hasn’t yet been wired to the malware’s functionalities, but Microsoft claims its presence implies the intention to do so in future versions.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021
Ofcom report reveals alarming uptick in smishing attacks
scams

Ofcom report reveals alarming uptick in smishing attacks

22 Oct 2021
Graylog launches new cyber security solution to address legacy issues
cyber security

Graylog launches new cyber security solution to address legacy issues

21 Oct 2021
US to ban surveillance software exports to authoritarian governments
cyber security

US to ban surveillance software exports to authoritarian governments

21 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021