A New Android Ransomware Executes with Home Button

Android Ransomware
Photo by Daniel Romero on Unsplash

Sophisticated Android ransomware locks up mobile devices and when a user presses the Home button, their ransom note shows up. 

MalLocker Android Ransomware

This ransomware is known as MalLocker, spreading through malicious website downloads (such as cracked games and video players) and selling in online forums. 

Microsoft researchers said that the new variant of this malware is different because it’s an advanced malware and it has unmistakable malicious characteristics and behavior. It also manages to escape many available protections and register a low detection rate against security solutions. 

Android ransomware is different from desktop counterparts. It doesn’t encrypt anything and only blocks the access to the device by showing overlay screens with ransom notes. In MalLocker’s case, by using never-before-seen technique, they built an overlay screen.

To fit the overlay screen to the device automatically, they used an open-source machine learning module.

They used New Method 

It is noted by researchers that typically Android ransomware uses a special permission called SYSTEM_ALERT_WINDOW. They stick a note with the permission and when an app is opened which has this permission, a ransom note shows up and you can’t skip that note. 

According to researchers, in this case, no matter what you do or what button you press, a window with a note stays on top of all other windows. Researchers also said, “This type of notification was made for system alerts or errors, but android threat misused it to take full control of the screen and block access to the screen”. 

Attackers use this scenario to convince users to pay the ransom if they want to gain back access to the device screen. 

Now, in the case of MalLocker, they use various categories of notifications used in Android OS, with “call” notification. By using this, they catch the user’s attention. Attackers also use the  “onUserLeaveHint()” callback method of the android activity, which is a bedrock Android Function. It shows the GUI screen users see when they close an app or when they press the home button to send current activity of an app to the background.  

According to Microsoft, with the use of these two components, they create a special type of notification that triggers the ransom screen via callback. The malware overrides the onUserLeave Hint () call backup function and triggers the automatic pop up of the ransomware screen and poses it as system windows. 

The analysis added that, “Firstly they create a notification builder and build a very important notification that needs special privileges. 

Growth of Machine Learning

MalLocker’s machine-learning module indicates continuous evolution of this Android ransomware family, researchers said.

“This ransomware is the latest variant of a malware family that has undergone several stages of evolution,” researchers said. “We expect it to churn out new variants with even more sophisticated techniques. In fact, recent variants contain code forked from an open-source machine-learning module used by developers to automatically resize and crop images based on screen size, a valuable function given the variety of Android devices.”

The latest MalLocker variant is also indicative that mobile threat actors continuously attempt to sidestep technological barriers and creatively find ways to accomplish their goal – and can open the door to new malware trends.

Recommended Article: How to Avoid Ransomware Attack