A new, advanced ransomware variant has appeared on Android-based mobile devices, masquerading as popular apps, carrying a distinctive characteristic and managing to evade detection, Microsoft security researchers said.
This latest ransomware version, which Microsoft identified as AndroidOS/MailLocker.B, has been previously found in the wild but has evolved “further than any Android malware we’ve seen before,” said Dinesh Venkatesan, a Microsoft security researcher in a blog post. He called the mobile variant an “important discovery” because it acts in ways that haven’t previously been seen and could spark other, similar malware also featuring a novel “obfuscation technique unique to the Android platform.”
The new threat doesn’t block access to files by encrypting them as do many iterations of Android ransomware but instead displays a screen that shows over every window preventing the user from accessing the device, Venkatesan wrote. In that scenario, the “screen is the ransom note” carrying ransom demands. “This ransomware surfaces its ransom note using Android features we haven’t seen leveraged by malware before, as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note,” Venkatesan said.
Previous Android malware has hijacked the “System_Alert_Window” permission, which is intended for system alerts or errors, making it impossible for users to dismiss a window with the ransom note no matter what button is pressed. Only by paying the ransom can users regain access to their devices. But this malware is different, Venkatesan said.
The authors have progressed its development from abusing the system alert permission to exploiting accessibility features, and now to marauding notification services. “This ransomware family’s long history tells us that its evolution is far from over,” he said. “We expect it to churn out new variants with even more sophisticated techniques. In fact, recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size, a valuable function given the variety of Android devices.”
Android-directed mobile malware threats have picked up of late. In June, ESET security researchers uncovered another new family of threats, which it has dubbed CryCrypor, leveraging the coronavirus (COVID-19) pandemic. The malware strain, which locks up personal photos and videos, is attacking users in Canada by impersonating an official COVID-19 tracing app provided by Health Canada. The ransomware’s release, including its timing, coincided with an announcement by the Canadian government that it would back the development of a nationwide, voluntary tracing app called COVID Alert, ESET said.