Microsoft has lifted the lid on a sophisticated ransomware family that has been spotted using a machine learning component embedded in its code and has so far managed to evade most security tools.
Like most Android ransomware strains, this particular threat, called AndroidOS/MalLocker.B, doesn’t encrypt users files. Instead, it blocks users’ access to their devices by displaying a full-screen notification that spoofs a message from authorities and demands payment in exchange for its removal.
Researchers say they are especially alarmed by the sophisticated techniques the malware uses to avoid detection, as well as the Android features it abuses to show a ransomware note that cannot be dismissed. This is something many Android ransomware strains have struggled to accomplish recently.
“The mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop,” the Microsoft Defender Research Team said.
“The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.”
Android ransomware in the past often targeted the ‘SYSTEM_ALERT_WINDOW’ permission to show ransom notes, which couldn’t be dismissed by the user as this permission was normally reserved for things like system alerts or error messages. The mechanism was exploited to make the message fully occupy the screen, blocking access to the device, although this attack surface was practically eliminated following system tweaks by Google.
Android malware has since attempted to adapt by misusing other features, but these have been largely ineffective. Attempts to exploit accessibility features often alerted users to the presence of malware as it requires navigating through several menu screens in order to use these services. Other families used infinite loops of drawing non-system windows, but it’s possible for users to go to settings and uninstall the app in between drawing and redrawing.
However, this new malware family has overcome these barriers by abusing the “call” notification – which fills the screen with a notice that you’re receiving an incoming call – to show a full-screen message that cannot be dismissed.
This particular strain has been through several stages of evolution to get to this current form, and Microsoft’s research team has previously seen stains that abuse accessibility settings, as well as general notification services. The expectation is that this family will churn out new variants with even more sophisticated techniques in future.
Alarmingly, its code is embedded with a TinyML machine learning module that’s designed to make sure images fit the screen without distortion. This would ensure that a ransom note would appear more believable, and less contrived.
As of now, the library using TinyML hasn’t yet been wired to the malware’s functionalities, but Microsoft claims its presence implies the intention to do so in future versions.
-
Microsoft says these 10 jobs are at highest risk of being upended by AINews Microsoft thinks AI is going to destroy jobs across a range of industries – while experts aren't fully convinced, maybe it's time to start preparing.
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
Average ransom payment doubles in a single quarter
News Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
