[ad_1]
Milana Romazanova | fake images
Although ransomware has been around for years, it poses a growing threat to hospitals, city governments, and basically any institution that can’t tolerate downtime. But alongside the various types of PC malware commonly used in these attacks, there is also another burgeoning platform for ransomware: Android phones. And new research from Microsoft shows that hackers are spending time and resources perfecting their mobile ransomware tools, a sign that their attacks are generating payouts.
Released on Thursday, the findings, which were detected using Microsoft Defender on mobile devices, look at a variant of a known Android ransomware family that has added some clever tricks. That includes a new ransom note delivery mechanism, improved techniques to avoid detection, and even a machine learning component that could be used to fine-tune the attack for different victims’ devices. While mobile ransomware has been around since at least 2014 and is not yet a pervasive threat, it could be about to take a bigger leap.
“It is important for all users to be aware that ransomware is everywhere, and it is not just for their laptops, but for whatever device they use and connect to the Internet,” says Tanmay Ganacharya, who leads the research team at Microsoft Defender. “The effort that attackers make to compromise a user’s device, their intention is to take advantage of it. They go where they think they can make the most money.”
Mobile ransomware can encrypt files on a device in the same way as PC ransomware, but often uses a different method. Many attacks simply involve plastering the entire screen with a ransomware note that prevents you from doing anything else on your phone, even after restarting it. Attackers often abuse an Android permission called “SYSTEM_ALERT_WINDOW” to create an overlay window that cannot be bypassed or bypassed. However, security scanners began to detect and flag apps that could cause this behavior, and Google added protections against it last year in Android 10. As an alternative to the previous approach, Android ransomware can still abuse accessibility features or use mapping techniques to draw and redraw overlapping windows.
The ransomware observed by Microsoft, which it calls AndroidOS / MalLocker.B, has a different strategy. Invokes and manipulates notifications intended to be used when you receive a phone call. But the scheme overrides the typical flow of a call that eventually goes to voicemail or just ends, as there is no actual call, and instead distorts the notifications into an overlay of ransom notes that you can’t avoid and that the system prioritizes in perpetuity.
The researchers also discovered a machine learning module in the malware samples they analyzed that could be used to automatically adjust the size and zoom of a ransom note based on the screen size of the victim’s device. Given the diversity of Android phones in use around the world, this feature would be useful for attackers to ensure that the ransom note is displayed cleanly and legibly. Microsoft found, however, that this ML component was not actually activated within the ransomware and may still be in testing for future use.
In an attempt to evade detection by Google’s own security systems or other mobile scanners, Microsoft researchers found that the ransomware was designed to mask its functions and purpose. Each Android application must include a “manifest file”, which contains names and details of its software components, such as a ship’s manifest that lists all passengers, crew, and cargo. But aberrations in a manifest file are often an indicator of malware, and ransomware developers managed to bypass code from numerous parts of theirs. Instead, they encrypted that code to make it even more difficult to evaluate and hid it in a different folder, so the ransomware could still run but would not immediately reveal its malicious intent. The hackers also used other techniques, including what Microsoft calls “name manipulation,” to mislabel and hide components of the malware.
“This particular family of threats has been around for a while and has used many techniques to compromise the user, but what we saw here is that it was not doing what we expected or what it was doing in the past,” says Microsoft Defender’s Ganacharya . .
Microsoft says it considers attackers to primarily distribute ransomware on online forums and through random web pages rather than official channels. They generally market the malware by making it look like other popular applications, video players, or games to attract downloads. And while there have been some early iOS ransomware, this is still much less common, similar to how Mac ransomware remains relatively rare. Microsoft shared the research with Google prior to publication, and Google emphasized to WIRED that the ransomware was not found on its Play Store.
Ensuring that you download Android apps only from trusted app stores like Google Play is the easiest way to avoid mobile ransomware and protect yourself from all kinds of malware as well. But given the success of PC ransomware targeting both large businesses and individuals, mobile ransomware may just be getting started.
This story originally appeared on wired.com.
