Milana Romazanova | Getty Images
While ransomware has been around for years, it poses a growing threat to hospitals, local governments, and basically any institution that cannot tolerate downtime. In addition to the different types of PC malware typically used in these attacks, there is also another burgeoning platform for ransomware: Android phones. And new research from Microsoft shows that criminal hackers are investing time and resources in improving their mobile ransomware tools – a sign that their attacks are generating payouts.
The results released on Thursday, using Microsoft Defender on mobile devices, show a variant of a well-known Android ransomware family that has added some clever tricks. These include a new ransom note delivery mechanism, improved detection avoidance techniques, and even a machine learning component that can be used to refine the attack for different victims' devices. While mobile ransomware has been around since at least 2014 and is still not a ubiquitous threat, a bigger leap could be possible.
"It's important for all users to know that ransomware is everywhere, not just on your laptops, but on every device you use and connect to the Internet," said Tanmay Ganacharya, head of Microsoft Defender research. "The effort that attackers go to to compromise a user's device – their intent is to take advantage of it. They go where they think they can make the most money."
Mobile ransomware can encrypt files on a device like PC ransomware, but it often uses a different method. Many attacks simply put a ransomware notice on the entire screen, preventing you from doing anything else on your phone, even after you've restarted it. Attackers typically used an Android permission called "SYSTEM_ALERT_WINDOW" to create an overlay window that you could not close or bypass. However, security scanners have started to detect and flag apps that might be causing this behavior, and Google added 10 protections in Android over the past year. As an alternative to the old approach, Android ransomware can continue to abuse accessibility features or use mapping techniques to draw and draw overlay windows.
The ransomware Microsoft observed, called AndroidOS / MalLocker.B, has a different strategy. It pulls up and processes notifications intended for use when you receive a call. However, the scheme overrides the typical flow of a call that eventually goes to voicemail or simply ends – in the absence of an actual call – and instead skews the notifications into a ransom note overlay that you cannot avoid and that the system will permanently prioritize.
The researchers also discovered a machine learning module in the malware samples they analyzed that can automatically resize and resize a ransom note based on the size of a victim's device display. Given the variety of Android phones in use around the world, such a feature would be useful for attackers to ensure that the ransom note is displayed cleanly and legibly. However, Microsoft determined that this ML component was not enabled in the ransomware and may still be tested for future use.
In an attempt to evade detection by Google's own security systems or other mobile scanners, Microsoft researchers found that the ransomware was designed to mask its functions and purpose. Every Android app must have a "manifest file" that contains the names and details of its software components, such as: B. a ship manifest listing all passengers, crew and cargo. Aberrations in a manifest file are often an indicator of malware, and the ransomware developers have managed to omit code for numerous parts of them. Instead, to make it even more difficult to rate, they encrypted this code and hid it in a different folder so the ransomware could still run but not immediately reveal its malicious intent. The hackers also used other techniques, including what Microsoft called "name mangling", to mislabel and hide the malware's components.
"This particular family of threats has existed for some time and has used many techniques to compromise the user. However, what we saw here was that it did not do what we expected or did in the past," said Ganacharya of Microsoft Defender.
Microsoft claims that attackers mainly spread the ransomware through online forums and random websites rather than official channels. They usually market the malware by making it look like other popular apps, video players, or games in order to entice downloads. And while there was some early iOS ransomware, it is still far less common – much like Mac ransomware is still relatively rare. Microsoft shared the research with Google before it was released, and Google told WIRED that the ransomware was not found in its Play Store.
Making sure that you only download Android apps from trusted app stores like Google Play is the easiest way to avoid mobile ransomware and protect yourself from all kinds of other malware as well. With the success of PC ransomware targeting both large businesses and individuals, mobile ransomware may only just be getting started.
This story originally appeared on wired.com.