Microsoft has been excellent in its initiative to protect Windows from potential threats and malicious attacks. Now Microsoft is decided to extend their expertise beyond Windows.
Recently, Microsoft’s cybersecurity blog posted an article mentioning an evolved version of ransomware for Android smartphones. Microsoft stated in their post that, they have found a piece of particularly sophisticated Android ransomware with novel techniques and behaviour.
The mobile ransomware, detected by Microsoft Defender as AndroidOS/MalLocker.B, is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. They have been found being hosted on random websites or circulated on forums disguised as cracked games, popular apps or media players.
Microsoft further stated that it is an advanced malware with an unmistakable malicious characteristic which makes it register a low detection rate against security solutions.
Working of Old Ransomware
In the past, Android ransomware used special permission named “SYSTEM_ALERT_WINDOW” to create alerts containing their ransom note and demand for payments. Apps and modules with this permission are able to create a window that can’t be dismissed by input or buttons, the window continues to stay on top of every other window.
These alerts were originally designed for system alerts which meant to be crucial for the Android system health and experience but, attackers misused them to control the whole UI of the Android and block access to the device. Attackers used to create full-screen alerts demanding payments from victims in return for full access to the device.
Above methods are quite old now and with the release of Android 8.0, Google killed these permissions by implementing various platform-level changes. Now, in Android, no such system alerts exist which can’t be killed.
New Ransomware Found a Way Around
This new ransomware named MalLocker.B/AndroidOS (according to Microsoft) manages to evade the security breaches or check because of its evolved implementation.
Unlike previous versions of malware, it doesn’t block access to devices rather it renders them useless to users by displaying a screen on top of every other window. The screen contains some ransom notes which include threats and ways to pay for unlocking the device.
MalLocker.B to gain immediate attention from users uses the category of “calls” and several others for its notifications. The ransomware uses a series of permissions to create ransom alert across the whole screen and each time user tries to close the windows the recurring functions bring back the ransom note on top of every other window.
AndroidOS/MalLocker.B uses Machine Learning
As stated by Microsoft in their security blog, they have seen ransomware implementing these sets of machine learning for the first time. This evolved version of the ransomware exploits some open-source machine learning modules to abuse some core functionalities of Android like notification system, accessibility features and system alert window.
Such open-source machine learning modules are used by developers for various tasks like resizing and cropping images based on screen size and variety of Android devices.
Microsoft in their study found these implementations in MalLocker.B ransomware, though not yet implemented completely the footprints of these functions and modules imply that they might be used in near futures to display ransom prompts and demand payments from victims and use of images and texts might make people believe the ransom notes and make it believable such that victims are more likely to pay.
According to Microsoft, this new mobile ransomware variant is an important discovery because the malware exhibits behaviours that have not been seen before and could open doors for other malware to follow.
Microsoft stated that they will continue to monitor this ransomware family to ensure users are protected and to share their findings and insights to the community for broad protection against these evolving mobile threats.