MalLocker

MalLocker, more specifically AndroidOS/MalLocker.B, is the designation given by Microsoft to the latest variant that has been spawned from a family of Android ransomware threats. According to the researchers, this particular family of threats has been operational in the wild for quite some time and has undergone several stages of evolution, showing hackers' commitment to continue developing their malware tools.

At first glance, MalLocker may seem like a typical ANdroind ransomware threat. It locks the screen with a window showing a message from the hackers and prevents users from accessing the rest of the affected device. The text of the message represents a typical extortion tactic, with the criminals making outrageous claims about the user breaking the law by possessing illicit materials on the device and is now being prosecuted by the police. Judging by the fact that the message is written in Russian entirely, it could be surmised that MalLocker is geared towards infecting predominantly Russian-speaking users.

This Week In Malware Episode 27 Part 2: MalLocker Android Ransomware Threat Locks Up User's Screen by Pressing Home Button

However, looking at the underlying code of the threat reveals that it is the most sophisticated iteration of this malware family. MalLocker employs unique exploit and obfuscation techniques. Previous ransomware variants were observed abusing specific permission called 'SYSTEM_ALERT_WINDOW' before moving on to other arguably less effective tactics such as exploiting Android devices' accessibility features. MalLocker, however, has moved on to the next step in Android ransomware development. It takes advantage of two services mainly - the 'call' notification that possesses special privileges because it has to display details about the caller and the 'onUserLeaveHint()' callback function of the Android Activity. Through this function, the malware ensures that the screen with the ransom message will always remain on top, by preventing the user from pushing it to the background through the 'Home' or 'Recents'buttons. MalLocker's code also has been obfuscated through a technique that is unique for the Android platform.

Due to its design, MalLocker is unable to penetrate the security measures of the Play Store, forcing the criminals behind the threat to use different distribution vectors, mainly by being hosted on third-party sites and through messages on online forums. Both methods involve various social-engineering tactics to entice the users to download the corrupted file disguised as a cracked game, a video player, or a popular application.