Android Ransomware Activates with the Home Button
A new variant of MalLocker locks up mobile devices with a ransom note when a user hits the Home button. According to researchers from Microsoft, MalLocker is spread through website downloads and on online forums. The new variant is an advanced malware that manages to avoid detection. Android ransomware differs from its desktop counterparts by blocking access to the device with screens containing ransom notes that prevent any action. It doesn't encrypt anything. In MalLocker's, the overlay screen is surfaced using techniques that make use of certain Android features. It has an open source, machine learning module used to automatically fit the overlay screen to the device.
A typical Android ransomware uses a special permission called SYSTEM_ALERT_WINDOW. The note is hooked to that permission, so that whenever an app is opened that has this permission, the ransom note is shown and can't be dismissed. No matter what button is pressed, the window stays on top of all other windows. The notification was intended to be used for system errors, but Android threats misuses it to force the hacker controlled UI to fully occupy the screen. This blocks access to the device. Hackers do this to force users to pay the ransom.
MalLocker is different from other Android ransomware, it uses the call notification which requires immediate user attention. It combines this with the onUserLeaveHint() callback method of the Android Activity, which is one of the main Android functions. The malware uses these two components to create a special type of notification that triggers the ransom screen via the callback. The malware overrides the onUserLeaveHint() callback function and triggers the automatic pop-up of the ransomware screen.
MalLocker's machine-learning module also indicates continuous evolution of this Android ransomware family. This ransomware is the latest variant of a malware family that has had several modifications. The most recent variants contain code forked from an open sourced, machine-learning module used by developers to automatically resize and crop images based on screen size. The new variant also exhibits behaviors that have not been seen before and could open doors for other malware to follow.
Mobile threats continue to evolve, with hackers continuously bypassing technological barriers and find ways to accomplish their goal, whether it is financial gain or finding an entry point to broader network compromise. The new MalLocker variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow. You need a comprehensive defense strategy that takes into account points of vulnerability as well as detection and tracking threats that may be lurking.