Microsoft has warned all Android users about a new strain of ransomware that takes advantage of incoming call notifications and Android’s Home button to lock the device behind a ransom note.
The ransomware is believed to be the variant of a known Android ransomware family dubbed “MalLocker.B” which has now returned with new techniques. It includes new features that deliver the ransom demand on infected devices as well as an obfuscation mechanism to evade security solutions.
MalLocker was hosted on malicious websites and circulated on online forums by using several social engineering techniques by disguising as popular apps, cracked games, or video players.
The earlier instances of Android ransomware have exploited Android accessibility features or permission called “SYSTEM_ALERT_WINDOW” to display a persistent window on top of all other screens to display the ransom note.
As this was detected by anti-malware software, the new Android ransomware variant has evolved to overcome this problem. In the MalLocker.B variant, the same goal is achieved through an entirely new technique.
In order to do so, it leverages the “call” notification which is used to alert the user about incoming calls in order to display a window that covers the entire area of the screen, and combines it with a Home or Recents keypress to trigger the ransom note to the foreground and prevent the victim from switching to any other screen.
Microsoft also warned the presence of a yet-to-be-integrated machine learning model that could be used to fit the ransom note image within the screen without distortion.
To hide its true purpose, the ransomware code is heavily obfuscated and made unreadable through name mangling and deliberate use of meaningless variable names and junk code to prevent analysis.
This new mobile ransomware variant is important as the malware shows behavior that have not been seen before and could open doors for other malware to follow.
Image Credits : TechRadar