Highly Sophisticated new Android Ransomware Lock the Screen to Pay Ransom

Recently, Microsoft has warned of a highly sophisticated new Android Ransomware that locks the screen and force the victim to pay the ransom to unlock the device. The threat actors of these operations are quite strong and are continuously attacking the Android ecosystem. 

That’s why Microsoft has been fighting to elongate its industry-leading endpoint security capabilities beyond Windows. According to the Microsoft report, this Ransomware was named AndroidOS/MalLocker.B., And this whole Ransomware is buried inside Android apps that only allowed download on online panels and all kinds of third-party websites.

New Scheme But The Same Goal

This new Android ransomware uses appropriate authority known as “SYSTEM_ALERT_WINDOW” to advertise their all kind of ransom note. And the apps that have the authority of this permission can easily draw a window that belongs to the system group, and that can’t be dispersed. 

However, the notification of this permission was planned to be utilized for all kinds of system alerts or errors. But, the Android threats mistreat it to violate the UI that is being controlled by the threat actors to fully conquer the screen and block all the access to the device.

The main motive of this plan is to persuade the users to pay the claimed ransom, and after paying, they can gain back access to the device.

Changes implemented by Google in platform-level

Some changes have been implemented by Google in Platform-Level, and here we have mentioned them below:-

  • Initially, eliminating the SYSTEM_ALERT_WINDOW error and alert window types, and including a few other types as a substitute.
  • They are upgrading the permission rank of SYSTEM_ALERT_WINDOW to appropriate permission by inserting it into the “above dangerous” section; it means that every user has to go over many screens to allow apps that request for permission.  
  • Proposing an overlay kill switch on Android 8.0 and following that users can initiate it anytime to deactivate a system alert window.

Machine learning module intimates constant evolution

This new Ransomware has various new techniques that include abusing the system alert window, abusing accessibility features, and now they have installed another new feature that is abusing notification services.

Not only this, but the new variant of this Ransomware contains the code forked from an open-source machine learning module that are used explicitly by developers to alter and crop images accordingly with the screen size automatically.


This new Android malware utilizes a new obfuscation method that is quite unique to the Android platform. However, one of the prominent signs of obfuscated malware is the lack of code that describes the classes represented in the visible file.

When the malware operates for the very first time, the inactive block of the main course gets into the operation. The code is massively obfuscated and made the users confused through name mangling and practices some meaningless variable titles.

Main payload

The main payload is stored in memory, and the primary detonator holds the control of the main payload by requesting the method XoqF from the gvmthHtyN class. As we said above that the primary handover segment are known as “triggerInfection” with an occurrence of appObj and an extra method that reflects the value for the variable configurations.

Apart from this, Microsoft has affirmed that this new mobile ransomware variant is an important discovery, as this malware displays the behaviors that have not been observed before. It could easily open the doors for other malware to follow them accordingly.

Also Read:

Joker Trojan Targets Android devices Aimed to Steal SMS Messages, Contact Lists, and Device Information

Cerberus – Android Banking Malware Bypass 2FA To Steal 200+ Mobile Apps Credentials

Leave a Reply