There is very little worse than knowing you’ve just lost everything to ransomware. When it happens on our phones, where so much of our identity and our lives live, the situation can feel hopeless. It’s a never-ending battle for platform owners like Google, Microsoft, and Apple. Every time a company creates new security measures, attackers try to find a way to circumvent them. That’s what Microsoft warns Android users about in a new security blog post from the Microsoft 365 Defender Research Team.
Unlike ransomware that hits Windows machines, Android devices rarely actually get their data encrypted. Instead, a malicious app will present itself when the phone gets locked, blocking access to apps and data. One of the first methods was using an Android special permission, which users unwittingly granted when they installed the app from an app store. Back in the pre-Lollipop (Android 5) days, apps just always got all their permissions at install time. It works differently today in part to thwart this kind of attack vector.
The SYSTEM_ALERT_WINDOW permission grants an app the ability to put a system-level alert on top of any other app that displays. Google fixed this security hole by first breaking permissions down at runtime, prompting users to allow certain actions the first time they’re invoked. Later, the company marked this special permission dangerous, so it requires multiple confirmations. In Anrdoid 11 this type of alert has been removed from the operating system, and Google has added additional window types to replace it. Finally, this kind of vulnerability has been put to bed.
What are attackers doing now? They’re still misusing system-level functionality, but in new and interesting ways. First, it registers itself as a handler for a whole bunch of system activities. Everything from a Boot Completed event when the user first starts the phone to a ringer mode change or unlocking the device will notify the ransomware what’s going on with the system so it can present itself. All it has to do is get the user to interact with it one time so it can execute. It’ll try to do that through alerts, system windows, accessibility features, or other ways that users interact with their phones. We’ll examine what seems to be the most common attack vector, though: notifications.
Several alert types on Android interrupt all activity and require immediate user interaction. For instance, when you receive a phone call, that notification is full-screen and requires immediate action. Malware authors figured out they could build a notification that requires immediate interaction. The malware creates a full-screen notification using the Notification Builder API and displays it to the user. Once the user interacts with that notification, the hard part of getting their attention is over. That’s just the notification, though – next, we have to get the user to interact with it. One way that the user is always going to interact with their phone is the Home button, so the attacker just has to convince the user to leave the notification.
Without getting too far into the Android app development weeds, Android apps live in Activities. Each screen in an Android app is its own Activity, which is derived from a base class. That base class has methods (functions) that get called when certain events happen. One of those events is detecting when the app is about to get backgrounded, called onUserLeaveHint(), which fires when the user tries to leave an activity or send it to the background. For instance, when pressing the Home button. Because it’s defined in the base Activity class, developers are free to override it with their own functionality. In this case, that functionality is the ransom message. Now your phone is locked up.
Microsoft used a mix of machine learning and hands-on forensics to track down the behavior. Attackers try to hide their intentions and cover their tracks in many ways. The first and most obvious is by excluding key pieces of the Android manifest. Attackers also have their malware apps decrypt garbage data to try to fool researchers into thinking it’s integral to the attack. There’s also an encrypted dex file (Dalvik VM executable) that hides away the malware payload. By encrypting both garbage and real app code, it makes it harder for researchers to pin down what’s happening. These guys are sneaky, for sure.
Microsoft says its enterprise Defender for Endpoint software can detect this kind of behavior and prevent bad actors from locking down a device. We should all be careful installing unknown apps, too. It seems like a day doesn’t go by that Google isn’t banning new apps from Google Play, and it’s going to require increased vigilance on the company’s part to find these new attack vectors and squash them.