October 16, 2020

AndroidOS/MalLocker.B Ransomware

Entry Type
Security Guidance
Platform(s) Affected
Android
Threat Type
Malware
Platform(s) Affected
Security Guidance
Android
Malware

Lookout Coverage and Recommendation for Admins

Lookout detects AndroidOS/MalLocker.B as a new variant of PLock and has protection against this ransomware in place for its customers. When detected on a user’s device, Lookout will block it from executing before it can take the device over and lock the screen. When the user receives an alert, they will receive guidance on how to remediate the threat.

Lookout admins can set policies in the console that block a device’s access to corporate resources if AndroidOS/MalLocker.B is detected until it is removed. This is enforced by Continuous Conditional Access, which constantly monitors the risk-level of mobile endpoints to protect your infrastructure by enabling Zero trust Network Access policies.

Overview

Microsoft has recently discovered a new variant of ransomware with novel techniques and behavior on Android devices. The malware, known as AndroidOS/MalLocker.B, is the latest variant of an existing family that is widely used and distributed across online forums, apps, and more. The primary way attackers lure victims in is by leveraging social engineering within these platforms.

The ransomware will lock the device and display a ransom note on the home screen. This variant leverages new tactics to circumvent prevention measures put in place by Google that were meant to block creation of an overlay window that could not be dismissed by the user. It appears that there are machine learning capabilities that will enable this malware family to constantly evolve in the future.

Lookout Analysis

In the past, ransomware messages like this one persisted through an infinite loop of creating (drawing) and recreating (re-drawing) the overlay screen. Between the draw and re-draw, it was possible for users to get to their apps and uninstall the malicious app. This latest variant is able to create an infinite loop that avoids that draw and re-draw process that makes it impossible for the user to be able to access the device and remove the offending app.

Lookout Coverage and Recommendation for Admins

Lookout detects AndroidOS/MalLocker.B as a new variant of PLock and has protection against this ransomware in place for its customers. When detected on a user’s device, Lookout will block it from executing before it can take the device over and lock the screen. When the user receives an alert, they will receive guidance on how to remediate the threat.

Lookout admins can set policies in the console that block a device’s access to corporate resources if AndroidOS/MalLocker.B is detected until it is removed. This is enforced by Continuous Conditional Access, which constantly monitors the risk-level of mobile endpoints to protect your infrastructure by enabling Zero trust Network Access policies.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats

New

September 22, 2023

iOS 16.6.1 and iOS 17.0

Apple recently released two software updates for iOS and iPad OS for vulnerabilities that can form an exploit chain and are also known to install Predator spyware.

September 15, 2023

Scattered Spider

September 19, 2023

CVE-2023-4863