Microsoft warns of ‘continuously evolving’ Android ransomware

This sophisticated strain abuses the incoming call notification to block access to a device

Microsoft has lifted the lid on a sophisticated ransomware family that has been spotted using a machine learning component embedded in its code and has so far managed to evade most security tools.

Like most Android ransomware strains, this particular threat, called AndroidOS/MalLocker.B, doesn’t encrypt users files. Instead, it blocks users’ access to their devices by displaying a full-screen notification that spoofs a message from authorities and demands payment in exchange for its removal.

Researchers say they are especially alarmed by the sophisticated techniques the malware uses to avoid detection, as well as the Android features it abuses to show a ransomware note that cannot be dismissed. This is something many Android ransomware strains have struggled to accomplish recently.

“The mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop,” the Microsoft Defender Research Team said.

“The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.”

Android ransomware in the past often targeted the ‘SYSTEM_ALERT_WINDOW’ permission to show ransom notes, which couldn’t be dismissed by the user as this permission was normally reserved for things like system alerts or error messages. The mechanism was exploited to make the message fully occupy the screen, blocking access to the device, although this attack surface was practically eliminated following system tweaks by Google.

Android malware has since attempted to adapt by misusing other features, but these have been largely ineffective. Attempts to exploit accessibility features often alerted users to the presence of malware as it requires navigating through several menu screens in order to use these services. Other families used infinite loops of drawing non-system windows, but it’s possible for users to go to settings and uninstall the app in between drawing and redrawing.

However, this new malware family has overcome these barriers by abusing the “call” notification – which fills the screen with a notice that you’re receiving an incoming call – to show a full-screen message that cannot be dismissed.

This particular strain has been through several stages of evolution to get to this current form, and Microsoft’s research team has previously seen stains that abuse accessibility settings, as well as general notification services. The expectation is that this family will churn out new variants with even more sophisticated techniques in future.

Alarmingly, its code is embedded with a TinyML machine learning module that’s designed to make sure images fit the screen without distortion. This would ensure that a ransom note would appear more believable, and less contrived.

As of now, the library using TinyML hasn’t yet been wired to the malware’s functionalities, but Microsoft claims its presence implies the intention to do so in future versions.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

How can you protect your business from crypto-ransomware?
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020