Antivirus software systems are getting better and better. But malware developers are also busy creating more advanced versions of malicious software for a wide variety of platforms and operating systems.
Most often, the attention of cybercriminals to a particular platform or OS is due to the popularity of these systems. It's simple - the more users they have, the greater the chance of a successful major attack. One of the most attractive targets for malware developers is Android. Microsoft has recently published the results of a new generation of malware for this operating system.
Malware for Android? They have existed for many years, some more, others less.
In general, everything is true, but the malware discovered by information security experts from Microsoft surprises with its capabilities. We are talking about AndroidOS / MalLocker.B , one of the ransomware varieties for Android.
Its latest generation is capable of bypassing almost all protection systems offered by the antivirus software market.
The result of the work of one of the previous versions of the ransomware family.
To display the message, the screenshot of which is shown above, the malware used the SYSTEM_ALERT_WINDOW special permission. It enables the application to display a window with the system "tolerance" level, so that the anti-virus software is unable to counteract.
Android developers, using SYSTEM_ALERT_WINDOW, implemented the display of messages about problems and errors in the system. Developers of malicious software use a "system" message to show a request to send money, while all other functions of the device are blocked. Quite often it works, and the inexperienced user really pays.
Android developers have introduced several changes in recent OS versions to avoid this danger:
- Replaced SYSTEM_ALERT_WINDOW with other error / notification message window call types.
- Introduced a user request for permission to use SYSTEM_ALERT_WINDOW for different applications, not all together.
- Added the ability to deactivate the SYSTEM_ALERT_WINDOW window by the user.
Malicious software developers tried to adapt. For example, the process of drawing windows with a ransom demand was introduced into the cycle. But this was not a particularly effective method, since the user could minimize everything, go to settings and delete the problematic application.
But now everything has changed, the developers of the malicious software also turned out to be "not a bastard."
What exactly does AndroidOS / MalLocker.B do?
The next-generation malware interacts with the call window function. Closing the window is not easy because it has high priority. Inside the window itself, the same text is displayed with the requirement to send money to the cybercriminals' wallet.
To do this, two components are used that allow you to create a special type of notification, which then activates the phone call window.
When this is activated onUserLeaveHint , a feature that is activated when you press buttons such as Home or Recents. The malware uses it to prevent the user from returning to the home screen, minimizing the ransom window, or switching to another application. This tactic is new, as ransomware used to use DoubleLocker and combined it with the Accessibility service.
Another new ransomware feature is the use of a machine learning module, which allows the malware to determine the required size of the message box, adapting it to the screen size and other features of the device. Since there are so many models of Android tablets and phones, this is an extremely useful "skill" for ransomware.
Below is a diagram of how different types of malware work, including representatives of the latest "family". Full size image will open on click.
Security experts suggest that the evolution of this branch of ransomware is far from dead end - there are still several generations ahead with new features and capabilities.
Protection bypass and distribution methods
The developers of AndroidOS / MalLocker.B taught their "brainchild" to bypass both the regular Google security system and third-party antivirus solutions. It does this by masking some of the ransomware's features and capabilities.
Thus, any Android application includes a "manifest file" that contains the names and details of all software components. Malware developers usually mask and hide some important components. The creators of the new ransomware have chosen a different path - they obfuscate the code that prevents antivirus applications from detecting malware. In addition, the file is hidden in another folder, so that ransomware can work, but not show "the truth of its intentions."
The new malware is unlikely to get into the Google Play Store, but it can get into third-party app catalogs without too many problems. Now ransomware is distributed by developers on forums, regular websites, third-party catalogs of Android applications. There is nothing new here, the tactics of cybercriminals are standard - to disguise the malicious software as a popular application, video game, player or something else like that.
To prevent the spread of the malware, Microsoft shared detailed information about it with Google - even before the results of the ransomware study went public. The recommendations given by information security specialists to users are the simplest - download applications from trusted sources and not click on suspicious links, including those contained in e-mail messages.