Microsoft warns about the abuse of notification services by Android Ransomware


Microsoft warned customers on Thursday that it has noticed a classy piece of Android ransomware that abuses notification companies to show a ransom be aware.

Android ransomware sometimes permits cybercriminals to make a revenue not by encrypting information — equivalent to within the case of ransomware focusing on desktop programs — however by displaying a full-screen ransom be aware that’s tough for the consumer to take away.

Microsoft says this specific Android ransomware household has been round for some time and its builders have continued to make enhancements. Earlier variants of the malware abused Android accessibility options or system alert Home windows to show the ransom be aware. Nevertheless, Google has been taking steps to forestall abuse of those options, and a few strategies utilized by attackers will be simply noticed or bypassed by the sufferer.

In an effort to extend its possibilities of success, the newest model of the Android ransomware, which Microsoft tracks as AndroidOS/MalLocker.B, makes use of a brand new approach to show the ransom be aware and make it tougher to take away.

The ransomware be aware is often a faux police discover informing the sufferer that specific pictures had been discovered on their gadget and instructing them to pay a advantageous inside 24 hours.

The malware shows the ransom be aware utilizing a “name” notification, which requires rapid consideration from the consumer, mixed with the “onUserLeaveHint()” callback methodology of the Exercise class, which is named when an utility is about to enter the background after the consumer has pressed the house key on their smartphone.

“The malware overrides the onUserLeaveHint() callback perform of Exercise class. The perform onUserLeaveHint() is named at any time when the malware display is pushed to background, inflicting the in-call Exercise to be mechanically delivered to the foreground,” defined Microsoft researcher Dinesh Venkatesan.

This ensures that the ransom be aware continues to be displayed on the display no matter what the sufferer does.

Microsoft additionally famous that it noticed a bit of code within the newest model that leverages an open supply machine studying module which permits builders to mechanically resize and crop a picture primarily based on the dimensions of the gadget’s display.

This code doesn’t seem for use in present variations of the ransomware, but when it’s totally carried out, it is going to make sure that the ransom be aware is displayed on the display with out being distorted, which Microsoft says makes the threats extra plausible and will increase the possibilities of the ransom being paid.

Microsoft has printed a weblog publish with technical particulars on how the malware works and the way organizations can defend themselves in opposition to such threats.

Associated: Android Ransomware Asks for Sufferer’s Credit score Card Data

Associated: Android Ransomware Employs Superior Evasion Methods

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in pc methods utilized in Electrical engineering

Earlier Columns by Eduard Kovacs:

You May Also Like