Microsoft has recently published a technical report covering the evolution of an Android-targeting ransomware family. Android malware doesn’t typically encrypt files, but instead prevents access to the device using a series of popup windows that can’t be closed. Microsoft’s writeup covers the various methods the malware uses, and how these methods changed as time went on.
Most Android ransomware in the past made use of a special permission called “SYSTEM_ALERT_WINDOW” to display the ransom note. This permission allowed Apps to draw a window that belongs to the system group and cannot be dismissed. When Google issued several platform-level changes to remove this functionality, the Android ransomware adapted and used a novel technique which was documented in Microsoft’s report in order to display persistent popups. The technique combines several pieces of functionality, including setCategory(“call”) to indicate the pop-up is high priority, setFullscreenIntent() and onUserLeaveHint() to cause the pop-up to return to the top every time the user tries to leave or dismiss it.
Additionally, this Android ransomware has also introduced a machine learning model (TinyML) for ensuring the images/ransom note fit the pop-up window without any distortion.
This Microsoft report additionally marks a new feature that Microsoft has pushed to Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) — mobile threat defense, which adds an Android Microsoft Defender agent. In addition to an EDR solution like Microsoft Defender for Endpoint, Binary Defense also recommends for the use of a 24/7 SOC solution like Binary Defense’s Security Operations Task Force to monitor events and respond to malicious activity quickly.