Security researchers at Microsoft discovered a new variant of MalLocker, a constantly evolving Android ransomware family that has been circulating in the wild since at least 2014.
The new variant named AndroidOS/MalLocker.B incorporates several never-before-seen techniques and is capable of abusing mechanisms behind the "incoming call" notification and the "Home" button to lock screens on users' devices. The MalLocker ransomware is typically spread via arbitrary websites and online forums, or hidden in popular apps and video players for mobile devices.
Like any other Android ransomware, MalLocker does not actually encrypt files on the victims device, but merely prevents access to infected device by displaying a ransomware note that appears over every other window. Regardless of which button the user clicks, the screen remains on top of all other windows.
What is different about this new variant is how it achieves persistence. While previous Android ransomware families used a special permission called “SYSTEM_ALERT_WINDOW” to display their ransom note, the new MalLocker version abuses the “call” notification feature and the “onUserLeaveHint()” callback method of the Android Activity.
“The “onUserLeaveHint()” callback method is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice, for example, when the user presses the Home key,” Microsoft explains.
The malware uses these two features to create a special type of notification that triggers the ransom screen via the callback.
In addition, the new MalLocker variant also packs an open source machine-learning module that lets it know an infected device's screen size so the ransom note can be automatically resized and cropped to fit it without distortion.
“This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow. It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals,” Microsoft said.