A new strain of Android ransomware is currently circling the web. Called MalLocker.B, the ransomware is a known threat that has re-appeared with new techniques. Some of them include a new way to display the ransom note and an obfuscation technique that evades security tools.
According to Microsoft’s analysis of the variant, it is “an advanced malware with unmistakable malicious characteristics and behavior.” The threat is also quite successful in evading mobile security protections, thus keeping a low detection rate.
MalLocker.B Android Ransomware Technical Details
As with most mobile ransomware, the new variant doesn’t encrypt files on the compromised Android device. It also blocks access to the device by showing a ransom screen that covers every other window. This way, the user can’t perform any other actions with their device. The ransom screen contains instructions on how to pay the ransom.
One of the novelties in this variant includes the way the ransomware displays the ransom note. MalLocker.B abuses the call notification, together with some other categories of notifications supported by Android. All of them require immediate user interaction. Another feature that the ransomware exploits is the “onUserLeaveHint()” callback method of the Android Activity. The feature is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice, Microsoft researchers explain.
MalLocker.B takes advantage of these two components to create a special type of notification. The notification triggers the ransom screen via the callback.
Security researchers expect further development of MalLocker
The MalLocker Android ransomware family has been evolving, adopting various techniques. Its latest variant only shows that its authors are from over. Microsoft researchers believe that new variants will be appearing soon, with even more sophisticated behavior.
“In fact, recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size, a valuable function given the variety of Android devices,” the experts explain in their report. In conclusion, the discovery of MalLocker.B is essential, as it exhibits previously unseen behavior and can open the door to other malware.