A new ransomware has emerged online threatening Android security. This new malware triggers on an infected phone as soon as the victim presses the Home key. Researchers at Microsoft are warning about a new strain of mobile ransomware that takes advantage of incoming call notifications and Android's Home button to lock the device behind a ransom note.
The findings concern a variant of a known Android ransomware family called, "MalLocker.B" which has resurfaced with new techniques. This malware includes a novel means to deliver the ransom demand on infected devices as well as an obfuscation mechanism to evade security solutions. The development comes amid a huge surge in ransomware attacks against critical infrastructure across sectors, with a 50% increase in the daily average of ransomware attacks in the last three months compared to the first half of the year. Cybercriminals increasingly incorporating extortion in their playbooks.
MalLocker has been known for being hosted on malicious websites and circulated on online forums using various social engineering lures by masquerading as popular apps, cracked games, or video players. The ransomware reaches target devices via apps available on third-party app stores. This malware is active in the “Wild” and Android users should be careful when downloading apps from any store other than Google Play. The main reason it caught the attention of analysts is its ever-evolving evil intent and abilities to bypass security safeguards. This has allowed this malware to hide from current anti-malware solutions.
The malware does not encrypt the data on the target device, rather it blocks the user’s access to the device. Previous instances of Android ransomware have exploited Android accessibility features or permission called "SYSTEM_ALERT_WINDOW" to display a persistent window atop all other screens to display the ransom note, which typically masquerade as fake police notices or alerts about purportedly finding explicit images on the device. The ransom note can also mimic a legal notice from a tax or law enforcement agency. The note demands payment for a crime the victim committed.
As soon as anti-malware software began detecting this behavior, the new Android ransomware variant has evolved to overcome this barrier. What has changed with MalLocker.B is the method by which it achieves the same goal via an entirely new tactic. To do this, it leverages the "call" notification that is used to alert the user about incoming calls in order to display a window that covers the entire area of the screen, and subsequently combines it with a Home or ‘Recents’ keypress to trigger the ransom note to the foreground and prevent the victim from switching to any other screen. "This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as a system window," researchers noted.
Aside from incrementally building on an array of aforementioned techniques to show the ransomware screen, Microsoft also noted the presence of a yet-to-be-integrated machine learning model that could be used to fit the ransom note image within the screen without distortion. This could be a preview of the next stage of malware features. To mask its true purpose, the ransomware code is heavily obfuscated and made unreadable through name mangling and deliberate use of meaningless variable names and junk code to inhibit analysis.
"This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow," Microsoft 365 Defender Research Team said. "It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals."
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941