This 'Latest Evolution' Ransomware Puts A Phone's Death Behind Its Home Button

Malware

Malware can come in many types and forms. Some have devastating payloads, some others can be scary. But this particular one lives under the Home button.

As discovered by Microsoft, the malware attack that is dubbed “latest evolution of mobile ransomware,” has been discovered affecting Android devices. Named AndroidOS/MalLocker.B, it lures victims in by posing as popular games or apps on online forums and third-party websites.

While it's method of infecting and circulating are already common and nothing novel, the way this MalLocker.B leverages certain Android feature to evade detection in indeed innovative.

What makes MalLocker.B a unique malware is because it employed a two-part mechanism to disable a victim's device.

First, MalLocker.B uses the call notification to cover the entire screen. And second, MalLocker.B also abuses the very function that puts an activity into the background, such as pushing the ‘Home’ key.

This should make users see what the creators of the malware want them to see, like the ransom note, and preventing the victims from ever leaving that screen.

A sample ransom note used by older ransomware variants
A sample ransom note used by older ransomware variants. (Credit: Microsoft)

According to a blog post from Microsoft Defender Research Team that discovered this malware:

"This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow. It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals."

It should be noted that some Android ransomware don't really encrypt victims' files like they say they can. And MalLocker.B is one of them.

Instead, they block users' access to the phone by taking over the entire screen using an overlay, and put a ransom note on it.

Some Android malware for example, use the System Alert Window to take over a device's screen.

This works in the past, but not anymore.

This is why MalLocker.B employs the aforementioned two-part mechanism to disable a victim's device. The malware utilizes the 0onUserLeaveHint() Android function, which is called when users want to push an app to the background, like for example, by pressing the Home button.

Using this method, MalLocker.B can bring the ransom activity back into the foreground every time users attempt to close it. And just like that, the victims' phones are rendered unusable.

Knowledge graph of techniques used by ransomware family
Knowledge graph of techniques used by ransomware family, including abusing the System Alert Window, abusing accessibility features, and abusing notification services. (Credit: Microsoft)

This has led to some people thinking that the infected phone is bricked, despite it isn't. The phone works fine.

Since the malware doesn’t have root access or any special system permissions, MalLocker.B can be removed via Safe Mode, factory reset or ADB.

But victims may not know that because all they see is the persistent ransomware screen that is stuck front and center permanently.

As a result, victims may think that their phone is bricked, had to pay the ransom, or throw away their phone. This is disheartening since the phone hardware and firmware are totally fine. MalLocker.B is just a malware that does a software obstruction, albeit a reasonably devastating one.

And making things worse, MalLocker.B has a context-aware machine-learning code module. And this makes it a sophisticated malware.

At the time of the discovery however, the team at Microsoft found that the module has yet to be activated.

But even without it, MalLocker.B is already worrisome.

Although this technique represents the "latest evolution in Android ransomware", MalLocker.B is not really the first malware to abuse the Home button for malicious purposes.

While some antivirus software from various vendors can detect ransomware variants like MalLocker.B, the best way for users to stay protected is to avoid downloading apps from non-reputable third-party app stores and unverified sources.

Published: 
12/10/2020