According to Microsoft, the ransomware detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B is a variant of a known family of Android ransomware dubbed "MalLocker.B" which has made a comeback with some new techniques, with delivery of ransom demand on compromised Android devices and evading of security solutions using obfuscation mechanism.
The MalLocker ransomware is known for being circulated via online forums using social engineering lures, such as by masquerading as popular games or video players.
How AndroidOS/MalLocker.B indicates continuous evolution
This latest ransomware is a variant of the malware family that has undergone different stages of evolution, with the various techniques that has been seen used by the malware, including the abusing of system alert window, accessibility features, and recently, the notification services.
While the most recent variants have code derived from an open-source machine learning module known as TinyML model, commonly used by developers to automate the resizing and cropping of images based on screen size, which is a valuable function given the growing variety of Android devices.
The TinyML model ensure that images fit the screen without any distortion, but in the ransomware use case, the model would ensure that the ransom note would be close to appear less contrived and more believable mimicking fake police notice or explicit images supposedly found on the device, thus increasing the chances of the user paying for the ransom.
Additionally, the ransomware code is heavily obfuscated, making it unreadable through name mangling or deliberate use of meaningless variables and junk code to thwart analysis in an attempt to mask its true purpose.
How organizations can protect data from threats across platforms
As Mobile threats continue to evolve, and attackers now attempting to sidestep technological barriers by finding ways to accomplish their goals of financial gain or access to broader network server, there is need to introduce a comprehensive defense system.
Such as Microsoft Defender for Endpoint on Android, which is now generally available, and extends Microsoft’s industry-leading endpoint protection to Android devices. It effectively detected this ransomware (AndroidOS/MalLocker.B), as well as some other malicious applications using cloud-based protection powered by deep learning and heuristics, in addition to content-based detection.