Microsoft recently published a security blog that warned about a sophisticated new ransomware variant. Not, as you might expect, ransomware that impacts users of the Windows operating system, though. Nope, instead, this was a warning for Android users.
The discovery of a context-aware machine learning code module in the MalLocker.B certainly deserves the sophisticated tag. However, that module has yet to be activated, and more of that in a moment. What has grabbed the attention of Android users who have read the various reports online, it would seem, is the fact that MalLocker.B can effectively brick phones only with a press of the home button when answering a call. But how true is that, and how worried should Android smartphone users actually be?
First things first, this is a fascinating and highly detailed bit of technical blogging from the Microsoft security folk. As such, that is to be welcomed, as is all information that helps us understand how threats, including ransomware, are evolving. Most users, however, will not have read that report for the very same reason: it’s a technical deep dive. That’s a shame, but not unsurprising. The job of journalists and reporters in the information security space is to explain such highly technical revelations in a way that can be absorbed by almost anyone regardless of their level of technical understanding.
On the whole, I think ‘we’ do a pretty decent job of that, and the MalLocker.B reporting is no exception. Apart from one thing: my inbox would suggest that many readers are coming away with the idea that their Android smartphones are in danger of being bricked simply because they have pressed the home button in response to an incoming call. That is not so and would appear to be a case of reading the headline and then skimming the story itself.
Where to begin? Well, as the B in MalLocker.B tends to suggest, this is a new version of an existing ransomware threat. But MalLocker, being Android ransomware, isn’t the same as the more commonly accepted kind of data-encrypting malware you may be thinking of.
As Microsoft reports, your files are all still there and unencrypted; instead, access to them is obstructed. That obstruction comes in the form of a screen that pops up on top of and over every other, meaning you are unable to do anything else but look at the demand for payment. That demand taking the unlikely format of a supposed police notice about indecent images on your device and a fine that has to be paid.
This has led to some people thinking that the infected phone is bricked, but that isn’t the case. The phone works fine, but you can’t see that as this ransomware screen is stuck front and center permanently. Or, in the case of MalLocker, possibly rebooting in safe mode and uninstalling the malware app. Unless you do a factory reset or pay the ransom, that is. But the phone hardware and firmware are fine; this is a software obstruction, albeit a reasonably devastating one.
OK, so bricking semantics aside, the phone is unusable, which is pretty damn bad no matter how you look at it. Especially as all it takes is a press of the home button following an incoming call, right? Well, no, not right at all.
There is no incoming call for a start, and while the triggering mechanism of the ransomware infection is for the user to press the home button in response to the supposed ‘call notification,’ that’s far from all it takes.
First, you have to install the malware file which comes wrapped up as an app. Video players, ‘cracked’ games and cloned mainstream apps have all been targeted. So, it’s easy enough to get caught out. Or it would be, were it not for the fact that Google is more than aware of the characteristics of MalLocker and so you won’t find it in the Play Store or any official and trustworthy source.
Instead, you would have to download it from an unofficial app store, a dodgy website or an online forum. You would have to be taken in by the various social engineering tactics used to drive you to such a destination in the first place, and want the ‘cracked app’ so badly you forget all about the security risks involved with downloading such things. Only then, once downloaded and installed, does the incoming call and the pressing of the home button come into play.
At some point in the future, I must assume, the cybercriminals behind the MalLocker ransomware will also activate the machine learning code module that Microsoft researchers spotted as available but not being used. That’s actually quite sophisticated. It can ensure the warning screen is adjusted within the context of the display to remain undistorted and so more realistic across all devices.
Of course, Microsoft points out that Microsoft Defender for Endpoint on Android will protect enterprises against this threat. Everyone else should use common security sense and avoid downloading dodgy apps from unverified sources.