Microsoft Warned Android Ransomware Abuses Notification Services to Display a Ransom Note


On Thursday, Microsoft alerted users that a sophisticated piece of Android ransomware that exploits notification services to display a ransom note has been spotted.

Android ransomware usually helps cybercriminals to make a profit by showing a full-screen ransom note that is impossible for the user to erase, not by encrypting data, such as in the case of ransomware affecting desktop systems.

Microsoft says this particular family of Android malware has been around for a while and has managed to make changes for its developers. In order to view the ransom note, previous versions of the malware exploited Android usability tools or device warning windows. Google, however, has taken precautions to discourage misuse of these features, and the victim can quickly detect or bypass any tactics used by attackers.

The newest iteration of the Android ransomware, which Microsoft monitors as AndroidOS / MalLocker. B, uses a new strategy to view the ransom note to make it more difficult to uninstall in an attempt to improve its chances of success.

Typically, the ransomware note is a bogus police warning telling the victim that specific photos have been located on their computer and instructing them within 24 hours to pay a fine.

In conjunction with the “onUserLeaveHint()” callback mechanism of the Operation class, the malware shows the ransom notice using a “call” message that demands immediate attention from the user, which is called when an application is about to go to the background after the user has pressed the home key on their device.

“The malware overrides the Operation class onUserLeaveHint() callback feature. Whenever the malware screen is moved to the background, the UserLeaveHint() feature is called, allowing the in-call operation to be brought to the foreground automatically, explained Microsoft researcher Dinesh Venkatesan.

This means that, regardless of what the victim does, the ransom note appears to be seen on the phone.

Microsoft also noticed that in the new update, it spotted a piece of code that leverages an open-source machine learning module that helps users to scale and crop an image dynamically depending on the screen size of the user.

In current ransomware versions, this code does not tend to be used, but if completely enforced, it would guarantee that the ransom note is shown on the computer without being corrupted, which Microsoft claims makes the threats more legitimate and increases the likelihood of paying the ransom.

A blog post with technical information about how the ransomware operates and how organizations can defend themselves from such threats has been released by Microsoft.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.