Microsoft’s Defender Research Team has found a piece of a particularly sophisticated Android ransomware with novel techniques and behaviour, exemplifying the rapid evolution of mobile threats that they have also observed on other platforms.
The mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players.
The new variant caught Microsoft’s Team attention because it’s an advanced malware with unmistakable malicious characteristic and behaviour and yet manages to evade many available protections, registering a low detection rate against security solutions.
As with most Android ransomware, this new threat doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else. The said screen is the ransom note, which contains threats and instructions to pay the ransom.
What’s innovative about this ransomware is how it displays its ransom note. In the past, Android ransomware used a special permission called “SYSTEM_ALERT_WINDOW” to display their ransom note. Apps that have this permission can draw a window that belongs to the system group and can’t be dismissed. No matter what button is pressed, the window stays on top of all other windows.
The notification was intended to be used for system alerts or errors, but Android threats misused it to force the attacker-controlled UI to fully occupy the screen, blocking access to the device. Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device.
The new Android ransomware variant overcomes existing barriers by evolving further. To surface its ransom note, it uses a series of techniques that take advantage of the following components on Android:
- The “call” notification, among several categories of notifications that Android supports, which requires immediate user attention.
- The “onUserLeaveHint()” callback method of the Android Activity (i.e., the typical GUI screen the user sees) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice, for example, when the user presses the Home key.
The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback. The malware then creates a notification builder and does the following:
- setCategory(“call”) – This means that the notification is built as a very important notification that needs special privilege.
- setFullScreenIntent() – This API wires the notification to a GUI so that it pops up when the user taps on it. At this stage, half the job is done for the malware. However, the malware wouldn’t want to depend on user interaction to trigger the ransomware screen, so, it adds another functionality of Android callback:
The malware overrides the onUserLeaveHint() callback function of Activity class. The function onUserLeaveHint() is called whenever the malware screen is pushed to background, causing the in-call Activity to be automatically brought to the foreground.
Recall that the malware hooked the RansomActivity intent with the notification that was created as a “call” type notification. This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window.
This new mobile ransomware variant is an important discovery because the malware exhibits behaviours that have not been seen before and could open doors for other malware to follow. It reinforces the need for comprehensive defence powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals.
Microsoft Defender for Endpoint on Android, now generally available, extends Microsoft’s industry-leading endpoint protection to Android. It detects this ransomware (AndroidOS/MalLocker.B), as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics, in addition to content-based detection.
It also protects users and organizations from other mobile threats, such as mobile phishing, unsafe network connections, and unauthorized access to sensitive data.
Malware, phishing, and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center, allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint’s rich set of tools for detection, investigation, and response.
More details of the Microsoft Defender Research Team’s report can be read here.