Microsoft has been excellent in its initiative to protect Windows from potential threats and malicious attacks. Now Microsoft is decided to extend their expertise beyond Windows.

Recently, Microsoft’s cybersecurity blog posted an article mentioning an evolved version of ransomware for Android smartphones. Microsoft stated in their post that, they have found a piece of particularly sophisticated Android ransomware with novel techniques and behaviour.

The mobile ransomware, detected by Microsoft Defender as AndroidOS/MalLocker.B, is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. They have been found being hosted on random websites or circulated on forums disguised as cracked games, popular apps or media players.

Microsoft further stated that it is an advanced malware with an unmistakable malicious characteristic which makes it register a low detection rate against security solutions.

Working of Old Ransomware

Old ransomware

In the past, Android ransomware used special permission named “SYSTEM_ALERT_WINDOW” to create alerts containing their ransom note and demand for payments. Apps and modules with this permission are able to create a window that can’t be dismissed by input or buttons, the window continues to stay on top of every other window.

These alerts were originally designed for system alerts which meant to be crucial for the Android system health and experience but, attackers misused them to control the whole UI of the Android and block access to the device. Attackers used to create full-screen alerts demanding payments from victims in return for full access to the device.

Above methods are quite old now and with the release of Android 8.0, Google killed these permissions by implementing various platform-level changes. Now, in Android, no such system alerts exist which can’t be killed.

New Ransomware Found a Way Around


This new ransomware named MalLocker.B/AndroidOS (according to Microsoft) manages to evade the security breaches or check because of its evolved implementation.

Unlike previous versions of malware, it doesn’t block access to devices rather it renders them useless to users by displaying a screen on top of every other window. The screen contains some ransom notes which include threats and ways to pay for unlocking the device.

MalLocker.B to gain immediate attention from users uses the category of “calls” and several others for its notifications. The ransomware uses a series of permissions to create ransom alert across the whole screen and each time user tries to close the windows the recurring functions bring back the ransom note on top of every other window.

AndroidOS/MalLocker.B uses Machine Learning

Ransomware uses machine-learning

As stated by Microsoft in their security blog, they have seen ransomware implementing these sets of machine learning for the first time. This evolved version of the ransomware exploits some open-source machine learning modules to abuse some core functionalities of Android like notification system, accessibility features and system alert window.

Such open-source machine learning modules are used by developers for various tasks like resizing and cropping images based on screen size and variety of Android devices.

Microsoft in their study found these implementations in MalLocker.B ransomware, though not yet implemented completely the footprints of these functions and modules imply that they might be used in near futures to display ransom prompts and demand payments from victims and use of images and texts might make people believe the ransom notes and make it believable such that victims are more likely to pay.

According to Microsoft, this new mobile ransomware variant is an important discovery because the malware exhibits behaviours that have not been seen before and could open doors for other malware to follow.

Microsoft stated that they will continue to monitor this ransomware family to ensure users are protected and to share their findings and insights to the community for broad protection against these evolving mobile threats.

Hope you liked the article above discussing the new version of ransomware found in Android devices. You might like our article on the latest ColorOS 11 and our review of RTX 3080 graphics card.

If you have liked the article, kindly share it with others. Each share is a form of motivation for us. You can reach out to us on FacebookTwitter and Instagram, we are quite active on social media.


Ajay Choudhury

Ajay Choudhury is the co-founder of OrbitGadget. He is a tech geek and a constant learner with a burning passion for technology. He loves sharing his know-how with others through his projects and blog. When not coding or writing content he loves playing football or enjoying music.

Leave a Reply

Your email address will not be published. Required fields are marked *

Our posts may contain affiliate links! If you buy something through one of those links, you won't pay a penny more, but as an Associate/referrer, I earn a small commission from qualifying purchases which helps us keep our good work on. Check our complete disclosure here. Thanks for the support!