A currently emerging threat is mobile ransomware. Infecting a system with malware that encrypts files and folders on the system and then requires the user to pay in order to regain use of files, or which accuses the user of a crime, such as possession of child pornography, and then requires payment of a “fine” to resolve the issue are examples of ransomware schemes. Common in the computing world, there is now an increase in the incidence of these schemes on mobile devices.

After a device is infected with ransomware, the malicious app prevents the use of the device and displays a pop-up window that notifies the user that his device has been encrypted or that he has committed an illegal offense and must pay a fine to regain use of his device or decrypt his data. Underneath, the data may or may not actually be encrypted, so it’s worth attempting an extraction and examination on infected devices prior to considering ransom payment.

The Trojan-Ransom.AndroidOS.Small malware and its modification, Trojan-Ransom.AndroidOS.Small.o, were the most active in Russia and Kazakhstan. A new, similar mobile malware, AndroidOS/MalLocker.B, was detected by Microsoft Defender for Endpoint, and while the malware is new, many of the tactics are the same.¹ Users are often infected while visiting questionable sites, those hosting gaming, gambling, and pornography, and can be passed around via social engineering to users looking for free or cracked applications at no cost.

What is interesting about this application, and many of those that attempt to extort users by claiming to lock, encrypt, or delete files until a ransom is paid, is that most often, the file system data is left untouched by the offending malware.

The way the attack is carried out, however, leaves the users to believe that they have no other way to access their data other than paying the ransom, because the screen appears to be locked down and the user cannot navigate away.

Historically, ransomware leveraged special permissions like BIND_DEVICE_ADMIN, that when granted to an app can wipe, lock or reset the passcode to a device or SYSTEM_ALERT_WINDOW, which with permission, can be used to overlay their notification message, in this case, the ransomware request, over all other screens with no way for the user to exit out of the offending screen.

After system protections were put into place to specifically thwart this type of attack method, new methods were introduced that included leveraging Android service components like call (and other notification types) and the “onUserLeaveHint()” callback method to create an automatic pop-up of the ransomware screen, which is pushed to the foreground of the user’s device.

Reference:

[1] https://for585.com/androidransomware