Sophisticated Android Ransomware Executes with the Home Button

mallocker android ransomware

The malware also has a unique machine-learning module.

A fresh variant of a sophisticated Android ransomware known as MalLocker locks up mobile devices – surfacing its ransom note when a user hits the Home button.

According to research from Microsoft, MalLocker is spreading via malicious website downloads (disguised as popular apps, cracked games or video players) and peddled in online forums, as it always has. However, “the new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions,” Microsoft researchers said, in a Thursday posting.

Threatpost Webinar Promo Retail Security

Click to register!

Android ransomware differs from its desktop counterparts by blocking access to the device with overlay screens containing ransom notes that prevent users from taking any action – it doesn’t actually encrypt anything. In MalLocker’s case, the overlay screen is surfaced using never-before-seen techniques that make use of certain Android features.

And, it has an open-source machine-learning module used to automatically fit the overlay screen to the device.

 New Permissions

Researchers noted that typical Android ransomware uses a special permission called “SYSTEM_ALERT_WINDOW.” The note is hooked to that permission, so that whenever an app is opened that has this permission, the ransom note is presented and can’t be dismissed.

“No matter what button is pressed, the window stays on top of all other windows,” researchers said. “The notification was intended to be used for system alerts or errors, but Android threats misused it to force the attacker-controlled UI to fully occupy the screen, blocking access to the device. Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device.”

MalLocker is different though: It uses the “call” notification, among several categories of notifications that Android supports, which requires immediate user attention. It combines this with the “onUserLeaveHint()” callback method of the Android Activity, which is a bedrock Android function. It surfaces the typical GUI screen that Android users see after closing an app or when the user presses the Home key to send current activity to the background.

“The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback,” according to Microsoft. “The malware overrides the onUserLeaveHint() callback function [and] triggers the automatic pop-up of the ransomware screen without…posing as system window.”

The analysis added, “The malware creates a notification builder [and builds] a very important notification that needs special privilege. The setFullScreenIntent()…API wires the notification to a GUI so that it pops up when the user taps on it.”

Machine Learning

MalLocker’s machine-learning module indicates continuous evolution of this Android ransomware family, researchers said.

“This ransomware is the latest variant of a malware family that has undergone several stages of evolution,” researchers said. “We expect it to churn out new variants with even more sophisticated techniques. In fact, recent variants contain code forked from an open-source machine-learning module used by developers to automatically resize and crop images based on screen size, a valuable function given the variety of Android devices.”

The latest MalLocker variant is also indicative that mobile threat actors continuously attempt to sidestep technological barriers and creatively find ways to accomplish their goal – and can open the door to new malware trends.

“This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow,” Microsoft added.

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.