![]() Notice that MalLocker’s machine-learning module indicates continuous evolution of this Android ransomware family, researchers said. MalLocker is a new ransomware variant and built to evade protections, registering a low detection rate against security solutions. This is a shift in the mobile malware landscape, where fresh techniques explored in the wild by criminals were observed. ![]() With these new techniques and tactics in place, criminals can take advantage of these new improvements to target a new surface in relation to conventional malware. On the other hand, the ransomware uses the onUserLeaveHint() functions (highlighted below) every time the user switches an application into the background and takes advantage of this technique to launch and draw a new overlay window, automatically resized and cropped and presenting the ransom note (Figure 7).įigure 7: The malware overriding on UserLeaveHint call The malware abuses the call notification that activates for incoming calls to show details about the caller and uses it to show an overlay window that covers the entire area of the screen with the ransom note message.įigure 6: The notification with full intent and set as “call’ category MalLocker ransomware takes advantage of the call notification function available on Android devices. Instead of encrypting the system files, the malware uses a dual mechanism to show its ransom note and block the screen. This is done in the function initComponents”.įigure 5: Starting BroadcastReceiver against system events Digging into the MalLocker details This action registers code components to get notified when certain system events happen. Like other malwares, it stores the malicious binary files encrypted and obfuscated inside the Assets folder.įigure 3 : Encrypted executable code in the Assets folderĪfter the first execution, the x file is decrypted and the payload is loaded into the memory, starting the infection chain.įigure 4: Asset file before and after decryptionĪccording to Microsoft, “the malware saves this configuration to the shared preferences of the app data, and then it sets up all the Broadcast Receivers. In detail, the x file has two classes inside that are not declared in the manifest file, confirming the suspicious activity. A clear signal of this activity is observed in the manifest file, due to the absence of code that defines the malware classes.įigure 2: Suspicious manifest file with the absence of code In order to bypass security software, the malware is obfuscated. After that, a ransom note that contains the instructions to pay the ransom is presented and automatically resized and cropped to fit it without distortion (Figure 1).įigure 1: MalLocker overlay window with the ransom note and countdown MalLocker obfuscation layer Instead, it shows an overlay screen with the ransom note, using never-before-seen techniques that make use of certain Android features to freeze the device. MalLocker doesn’t block access to files and encrypt them after installing on the victim’s device. ![]() ![]() It is also circulating on several online forums, using social engineering schemas to disseminate the threat - including masquerading as popular apps, cracked games and video players. As observed in other kinds of mobile malware families, MalLocker is being shared on random and compromised websites by crooks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |