Microsoft has been working to extend its endpoint protection capabilities to Android, courtesy of the company’s mobile threat defense capabilities. As part of Microsoft’s on-going efforts to provide organizations with tools that detect and respond to threats across domains and platforms, the company has discovered new Android ransomware.
Microsoft discovers new Android MailLocker ransomware
“We found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior, exemplifying the rapid evolution of mobile threats that we have also observed on other platforms,” said Dinesh Venkatesan from Microsoft Defender Research Team said.
According to Microsoft, the newly discovered Android malware belongs to the MalLocker ransomware family that continues to evolve. The malware is usually found hosted on arbitrary websites and circulated on online forums with the help of various social engineering techniques. Threat actors also pretend to be popular apps, cracked games, or video players.
“The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions,” Venkatesan added.
Unlike most ransomware targeting Android users, the latest variant of MalLocker doesn’t prevent users from accessing files on the device by encrypting them. Instead, it displays a screen that appears over every other window. So, naturally, users are unable to do or see anything else. Interestingly, the screen doubles as the ransom note that describes threats and procedures on how to pay the ransom.
According to Microsoft, the key point here is the usage of the screen that displays the ransom note, adding that this ransomware surfaces its ransom note using Android features no other malware has leveraged before. The presumably advanced malware also uses an open-source machine learning module for context-aware cropping of the ransom note.
This new ransomware family uses special permission called “SYSTEM_ALERT_WINDOW” to display their ransom note, Microsoft has revealed.
This ransomware uses the “call” notification to alert the user about incoming calls by displaying a window that fully covers the screen area. Subsequently, as soon as users press the Home or Recent key, the underlying script connects the dots between the two actions and triggers the ransom screen via the callback.
In August, Microsoft made the Defender ATP for Android available on Google Play Store to safeguard Android users against such attacks.