Attacks ransomware have been carried out for many years and especially lately target mainly hospitals, government offices or services, where their smooth operation is vital. However, another growing platform for ransomware attacks is Appliances Android. According to a research Microsoft products, malicious agents are investing more and more time and resources in the development of their ransomware tools for Android.
The foundings detected using Microsoft Defender on mobiles, consider a variant of a well-known Android ransomware family, to which some smart characteristics, including a new banknote delivery mechanism, improved avoidance techniques, and even a machine learning element that could be used to perfect the attack for devices of different victims.
The ransomware discovered by Microsoft, which was named AndroidOS / MalLocker.B, has a different strategy than ordinary ransomware. Invokes and handles notifications intended for use when receiving a telephone call. However, ransomware bypasses the normal flow of a call that is eventually routed to the answering machine or simply terminated, as there is no actual call. Instead he distorts the notices in a ransom note, which o user can not drive away from the screen as the system gives priority to its perpetuation.
The researchers also discovered a piece of machine learning in the malware samples they analyzed, which could be used to magnify a ransom note based on the screen size of the victim's device. Given the diversity of Android mobile devices used around the world, such a feature would be useful as attackers ensure that the ransom note is displayed clearly and legibly. Microsoft found, however, that this component was not actually enabled in ransomware and may be being tested for future use.
In an effort to avoid detection by its security systems Google or from other scanners, Microsoft researchers found that ransomware was designed to hide its functions and purposes. Every Android application must include a “declaration file”Which contains names and details of its software components. Deviations in a declaration file are often a sign of malware. The hackers encrypted this code to make it even more difficult to estimate and hid it in a different folder so the ransomware could still run, but would not immediately reveal its malicious intent. They also use other techniques, such as what Microsoft calls "mangling name", For incorrect marking and hiding of malware.