There’s nothing much worse than knowing that you just lost everything because of ransomware. When this happens on our phones, where much of our identity and our lives live, the situation can feel hopeless. It’s an endless battle for platform owners like Google, Microsoft and Apple. Every time a company creates new security measures, attackers try to find a way around them. This is what Microsoft is warning Android users in a new post about the security blog of the Microsoft 365 Defender research team.
Unlike ransomware that affects Windows machines, Android devices rarely actually encrypt their data. Instead, a malicious application will appear when the phone is locked, blocking access to applications and data. One of the first methods was to use a special license for Android, which users unknowingly gave when installing an app from the app store. Back in the days before Lollipop (Android 5), apps always got all their approvals at the time of installation. Today, it acts differently in part to thwart this type of attack vector.
The SYSTEM_ALERT_WINDOW permission gives the application the ability to set system-level alerts on any other application that is displayed. Google fixed this security hole by first breaking runtime permissions, asking users to allow certain actions on the first call. Later, the company marked this special permit as dangerous, so it requires more certificates. In Anrdoid 11, this type of warning was removed from the operating system, and Google added new types of windows to replace it. Finally, this type of vulnerability is put to sleep.
What are the attackers doing now? They continue to abuse system-level functionality, but in new and interesting ways. First, he registers as a handler for a range of system activities. Everything from the Boot Completed event when the user first starts the phone to changing the ringtone or unlocking the device will notify the ransomware of what is happening to the system so that it can present itself. All that needs to be done is to get the user to interact with it once so that it can be executed. It will try to do this through alerts, system windows, accessibility features or other ways users interact with their phones. Yet we will examine what appears to be the most common vector of attack: notifications.
Several types of alerts on Android interrupt all activities and require immediate user interaction. For example, when you receive a phone call, that notification is full screen and requires urgent action. The authors of the malware concluded that they could make a notification that requires urgent interaction. Malicious software creates a full-screen notification using the notification API and displays it to the user. Once the user interacts with this notification, the hard part of getting their attention is over. It’s just a notice – further, we need to get the user to interact with it. One of the ways the user will always communicate with their phone is the Home button, so the attacker just has to convince the user to leave the notification.
Without going too far into the weeds of Android app development, Android apps live in Activities. Each screen in the Android application has its own activity, which is derived from the base class. This base class has methods (functions) that are called when certain events occur. One of these events is the revelation of the name of the application that will soon become the background onUserLeaveHint (), which is activated when the user tries to leave the activity or send it to the background. For example, when you press the Home key. Because it is defined in the basic activity class, developers can override it with their own functionality. In this case, that function is a redemption message. Your phone is now locked.
Microsoft used a mixture of machine learning and practical forensics to measure behavior. The attackers try to hide their intentions and cover their tracks in many ways. The first and most obvious is by excluding key parts of the Android manifesto. The attackers also decrypt their malware applications with garbage data to try to trick researchers into thinking it was an integral part of the attack. There is also an encrypted dex file (Dalvik VM executable) that hides the malware payload. Encrypting garbage and the right application code makes it difficult for researchers to determine what is happening. These guys are insidious, for sure.
Microsoft says its Defender for Endpoint software can detect such behavior and prevent bad actors from locking the device. And we should all be careful when installing unknown applications. It doesn’t seem like a day goes by when Google doesn’t ban new apps from Google Play, so it will take the company’s increased vigilance to find those new attack vectors and crush them.
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.