Microsoft warns of ‘continuously evolving’ Android ransomware

This sophisticated strain abuses the incoming call notification to block access to a device

Microsoft has lifted the lid on a sophisticated ransomware family that has been spotted using a machine learning component embedded in its code and has so far managed to evade most security tools.

Like most Android ransomware strains, this particular threat, called AndroidOS/MalLocker.B, doesn’t encrypt users files. Instead, it blocks users’ access to their devices by displaying a full-screen notification that spoofs a message from authorities and demands payment in exchange for its removal.

Researchers say they are especially alarmed by the sophisticated techniques the malware uses to avoid detection, as well as the Android features it abuses to show a ransomware note that cannot be dismissed. This is something many Android ransomware strains have struggled to accomplish recently.

“The mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop,” the Microsoft Defender Research Team said.

“The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.”

Android ransomware in the past often targeted the ‘SYSTEM_ALERT_WINDOW’ permission to show ransom notes, which couldn’t be dismissed by the user as this permission was normally reserved for things like system alerts or error messages. The mechanism was exploited to make the message fully occupy the screen, blocking access to the device, although this attack surface was practically eliminated following system tweaks by Google.

Android malware has since attempted to adapt by misusing other features, but these have been largely ineffective. Attempts to exploit accessibility features often alerted users to the presence of malware as it requires navigating through several menu screens in order to use these services. Other families used infinite loops of drawing non-system windows, but it’s possible for users to go to settings and uninstall the app in between drawing and redrawing.

However, this new malware family has overcome these barriers by abusing the “call” notification – which fills the screen with a notice that you’re receiving an incoming call – to show a full-screen message that cannot be dismissed.

This particular strain has been through several stages of evolution to get to this current form, and Microsoft’s research team has previously seen stains that abuse accessibility settings, as well as general notification services. The expectation is that this family will churn out new variants with even more sophisticated techniques in future.

Alarmingly, its code is embedded with a TinyML machine learning module that’s designed to make sure images fit the screen without distortion. This would ensure that a ransom note would appear more believable, and less contrived.

As of now, the library using TinyML hasn’t yet been wired to the malware’s functionalities, but Microsoft claims its presence implies the intention to do so in future versions.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021