Malware goes where people go, and there are many people around the world using Android to do the bulk of their computing. Naturally, ransomware has found its way to Android, and there’s a new, particularly devious strain of it floating around. According to Microsoft’s Defender Research team, MalLocker.B manipulates multiple Android OS functions to take over your phone when you press the home button.
MalLocker.B won’t just appear on your phone like magic — it’s being distributed on sketchy third-party app stores and forums. Users have to go through several steps to deactivate Google’s built-in app security before they can install the malicious app, which hides in a seemingly unrelated app.
Once installed on a system, it creates a “call” notification, which has privileged system access. Apps that use this legitimately need it to create full-screen incoming call notifications, but MalLocker.B uses it to display a ransom note. This is a clever way to get around Google’s recent changes to the system alert window, which used to be a primary target for malware. However, it’s the way the malicious code ties into the home button that makes it truly different.
Android has a function called onUserLeaveHint(), which is called when you want to push an app to the background. For example, by pressing the home button. MalLocker.B hijacks this function to bring the ransom activity back into the foreground every time the user attempts to close it. And just like that, your phone is unusable.
Like most Android ransomware, MalLocker.B does not encrypt files. Desktop ransomware usually does this, selling the decryption key to the victim to retrieve their files. MalLocker.B masquerades as a notice from law enforcement, informing the user they have committed a crime and must pay a fine. However, doing so won’t remove the malware.
The good news is that all the data on the phone is intact — there’s just an app getting in your way. It doesn’t have root access or any special system permissions, so MalLocker.B can be removed via safe mode or ADB. The creators are simply betting that most users won’t realize that, and they’re probably right. That’s why ransomware like this is effective. The moral of the story is clear: don’t sideload apps from untrustworthy sources.