Researchers from Microsoft have spotted a latest strain of Android ransomware that abuses the mechanisms behind the ‘incoming call’ notification as well as the ‘Home’ button to lock the screen on a device. This new form, called MalLocker.B, also manages to elude many available protections, registering a low detection rate against security solutions.
Like other Android ransomware, MalLocker.B doesn’t encrypt the files on the device but just
impedes access to the phone.
“The mobile ransomware, detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B, is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop,” read Microsoft’s research.
“This ransomware family is known for being hosted on arbitrary websites and circulated on
online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players,” added researchers.
The actual mechanism implemented by the MalLocker.B ransomware to display the ransom
note is made of two parts: the first abuses the call notification and the second abuses the
‘onUserLeaveHint()’ function, which is activated when users want to push an app into the
background and switch to a new app.
In case of the call feature, the ransomware shows a window covering the entire screen of the device. The one that is triggered by the home touching the home button, prevents people from leaving a ransom note for the home screen or another app.
The researchers believe the malware is exceptionally advanced with distinctive characteristics and behavior. It manages to evade many available protections, registering a low detection rate.
This new threat doesn’t actually block access to files by encrypting them, rather blocks access to devices by displaying a screen that appears over every window. This screen is the ransom note, which contains threats and instructions to pay the ransom.
In the past, Android ransomware used a special permission called ‘SYSTEM_ALERT_WINDOW’ to display their ransom note. The notification was intended to be used for system alerts or errors.
Android threats misused it to force the attacker-controlled user interface to fully occupy the
screen, blocking access to the device. Attackers persuade users to pay the ransom so they can gain access to the device.
To save your device from MalLocker.B and similar malware, users are advised to avoid installing Android apps from third-party stores or forums.