This sophisticated ransomware kidnaps data on Android phones

According to a report published by Microsoft's 365 Defender Research Team on October 8, ransomware has undergone a new evolution. The report stated that the research team had found a piece of particularly sophisticated Android ransomware with “novel techniques and behaviour” that exemplified the “rapid evolution of mobile threats” observed, writes PhoneArena.

This particular mobile ransomware, which was detected by Microsoft Defender for Endpoint “as AndroidOS/MalLocker.B” has been out in the wild for a while and has been constantly evolving.

MalLocker.B is known to be hosted on random websites and is circulated via online forums and uses various social engineering lures. It often “masquerades” as popular apps, cracked games or video players, as per reports.

One of the versions particularly caught people's attention since it was advanced malware with “unmistakable malicious characteristic and behaviour” but yet it managed to evade most of the available protections and had a low detection rate against many security solutions.

Ransom is demanded in the form of an instruction note that blocks access to your mobile phone's display. The older versions of ransomware would rely on a permission called “SYSTEM_ALERT_WINDOW” that shows a pop-up window that cannot be dismissed or closed.

Also Read: Ransomware alert: Microsoft has a warning for all Android phone users

Designed originally for actual system alerts/errors, this permission feature was hijacked by bad actors and the UI was controlled by the hackers to cover the entire device screen instead of a small portion - rendering the whole screen unusable. This blocks the victims from being able to access their device and the only option they have is to pay up.

To fight this, Google retaliated by removing the SYSTEM_ALERT_WINDOW error and alert window. The permission status for SYSTEM_ALERT_WINDOW was also elevated to the special permissions category and out into the “above dangerous” category. This meant that instead of just a single click, users have to go through “many screens to approve apps that ask for permissions”.

Hackers then evolved the malware by using accessibility features, however, these were easily detectable. These malware-infected apps continued to evolve by using the “Call” notification and the “callback method” on Android - something that requires an users' immediate attention.

The hackers started using a combination of both these features to trigger a ransom note on the device.

But this evolution story is not over yet.

According to the Microsoft 365 Defender Research Team report, recent variants of the ransomware contain “code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size”. And this is a valuable function given the large variety of Android devices that exist.

The frozen TinyML model is useful for ensuring that images fit the device screen without any distortion. For this ransomware in particular, this model would make sure that the ransom note, which is usually a fake police notice or explicit images that have allegedly been found on the device, would appear to look more believable and thereby increase the chances of victims actually paying up.

Tanmay Ganacharya, Microsoft's Defender research team lead, pointed out that this particular mobile ransomware variant hints at what one can expect from future malware attacks. 

The point is, MalLocker.B is constantly evolving and its main agenda is to make as much money from you as possible once it manages to hold your device or data