Skip to content

Android Ransomware Has Picked Up Some Foreboding New Tricks

Though ransomware has been around for years, it poses an ever-increasing threat to hospitals, municipal governments, and basically any institution that can’t tolerate downtime. But along with the various types of PC malware that’s typically used in these attacks, there’s another burgeoning platform for ransomware as well: Android phones. And new research from Microsoft shows that criminal hackers are investing time and resources in refining their mobile ransomware tools—a sign that their attacks are generating payouts.

Released on Thursday, the findings, which were detected using Microsoft Defender on mobile, look at a variant of a known Android ransomware family that has added some clever tricks. That includes a new ransom note delivery mechanism, improved techniques to avoid detection, and even a machine learning component that could be used to fine-tune the attack for different victims’ devices. While mobile ransomware has been around since at least 2014 and still isn’t a ubiquitous threat, it could be poised to take a bigger leap.

“It’s important for all users out there to be aware that ransomware is everywhere and it’s not just for your laptops, but for any device that you use and connect to the internet,” says Tanmay Ganacharya, who leads the Microsoft Defender research team. “The effort that attackers put in to compromise a user’s device—their intent is to profit from it. They go wherever they believe they can make the most money.”

Mobile ransomware can encrypt files on a device the way PC ransomware does, but it often uses a different method. Many attacks simply involve plastering victims’ entire screens with a ransomware note that blocks you from doing anything else on your phone, even after you restart it. Attackers have typically abused an Android permission called “SYSTEM_ALERT_WINDOW” to create an overlay window that you couldn’t dismiss or circumvent. Security scanners started to detect and flag apps that could produce this behavior, though, and Google added protections against it last year in Android 10. As an alternative to the old approach, Android ransomware can still abuse accessibility features or use mapping techniques to draw and redraw overlay windows.

The ransomware Microsoft observed, which it calls AndroidOS/MalLocker.B, has a different strategy, though. It invokes and manipulates notifications intended for use when you’re receiving a phone call. But the scheme overrides the typical flow of a call eventually going to voicemail or simply ending—since there is no actual call—and instead distorts the notifications into a ransom note overlay that you can’t avoid and that the system prioritizes in perpetuity.

The researchers also discovered a machine learning module in the malware samples they analyzed that could be used to automatically size and zoom a ransom note based on the size of a victim’s device display. Given the diversity of Android handsets in use around the world, such a feature would be useful to attackers for ensuring that the ransom note displayed cleanly and legibly. Microsoft found, though, that this ML component wasn’t actually activated within the ransomware and may still be in testing for future use.

In an attempt to evade detection by Google’s own security systems or other mobile scanners, the Microsoft researchers found that the ransomware was designed to mask its functions and purpose. Every Android app must include a “manifest file,” that contains names and details of its software components, like a ship’s manifest that lists all passengers, crew, and cargo. But aberrations in a manifest file are often an indicator of malware, and the ransomware developers managed to leave out code for numerous parts of theirs. Instead, they encrypted that code to make it even harder to assess and hid it in a different folder so the ransomware could still run, but wouldn’t immediately reveal its malicious intent. The hackers also used other techniques including what Microsoft calls “name mangling” to mislabel and conceal the malware’s components.