Microsoft security researchers have recently discovered a new mobile platform-oriented ransomware that uses call notification and home button to place users on the ransomware interface.
In theory, the ransomware of the Android platform cannot completely lock the user’s device. For example, in some cases, the virus can delete and format the user data.
But when the phone is formatted, all the user’s data and information will be lost. If the user does not usually back up the data, it may also have an impact.
It is worth noting that Microsoft mentioned that the current ransomware for the Android platform is gradually refined, and its code and malicious behavior are constantly updated and strengthened.
Microsoft 365 Defender Research Team found after analysis that the ransomware was spread mainly through impersonation of popular applications, crackers, and players.
Pretending to be a popular application is to change the name and icon app to a popular application and then distribute it online. Some users may be attracted by downloading it through unofficial stores.
It is very common for crackers to carry viruses. Usually, an attacker downloads a normal cracked app and then stuffs the virus in and publishes it to the Internet to induce users to download it.
When the user installs the virus module, it will start automatically. After the start, it will use the Android home button and incoming call notification to always occupy the main interface and make the user unavailable.
On the blackmail interface, the attacker asks the user to pay a specific ransom. Of course, even if the user pays the ransom, he will not get the key.
Microsoft security researchers claim that the ransomware on the Android platform is currently being refined. The typical performance is that the attacker completely encrypts the code to prevent analysis.
It takes a long time for researchers to decrypt the obfuscated and encrypted code. Attackers also use various meaningless variable names and garbage codes to interfere with the analysis.
In terms of malicious behavior, various permissions and notifications provided by Android are used to occupy the screen, and even attackers use machine learning models to adapt to various screens.
This type of behavior is not common in malware on the Android platform, which indicates that ransomware attacks on the Android platform may accelerate changes in the future and become more harmful.
“This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow,” Microsoft 365 Defender Research Team said.
“It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals.”