Microsoft has lifted the lid on a sophisticated ransomware family that has been spotted using a machine learning component embedded in its code and has so far managed to evade most security tools.
Like most Android ransomware strains, this particular threat, called AndroidOS/MalLocker.B, doesn’t encrypt users files. Instead, it blocks users’ access to their devices by displaying a full-screen notification that spoofs a message from authorities and demands payment in exchange for its removal.
Researchers say they are especially alarmed by the sophisticated techniques the malware uses to avoid detection, as well as the Android features it abuses to show a ransomware note that cannot be dismissed. This is something many Android ransomware strains have struggled to accomplish recently.
“The mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop,” the Microsoft Defender Research Team said.
“The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.”
Android ransomware in the past often targeted the ‘SYSTEM_ALERT_WINDOW’ permission to show ransom notes, which couldn’t be dismissed by the user as this permission was normally reserved for things like system alerts or error messages. The mechanism was exploited to make the message fully occupy the screen, blocking access to the device, although this attack surface was practically eliminated following system tweaks by Google.
Android malware has since attempted to adapt by misusing other features, but these have been largely ineffective. Attempts to exploit accessibility features often alerted users to the presence of malware as it requires navigating through several menu screens in order to use these services. Other families used infinite loops of drawing non-system windows, but it’s possible for users to go to settings and uninstall the app in between drawing and redrawing.
However, this new malware family has overcome these barriers by abusing the “call” notification – which fills the screen with a notice that you’re receiving an incoming call – to show a full-screen message that cannot be dismissed.
This particular strain has been through several stages of evolution to get to this current form, and Microsoft’s research team has previously seen stains that abuse accessibility settings, as well as general notification services. The expectation is that this family will churn out new variants with even more sophisticated techniques in future.
Alarmingly, its code is embedded with a TinyML machine learning module that’s designed to make sure images fit the screen without distortion. This would ensure that a ransom note would appear more believable, and less contrived.
As of now, the library using TinyML hasn’t yet been wired to the malware’s functionalities, but Microsoft claims its presence implies the intention to do so in future versions.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
