AndroidOS/MalLocker.B is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. [1]

ID: S0524
Platforms: Android
Version: 1.0
Created: 29 October 2020
Last Modified: 29 October 2020

Techniques Used

Domain ID Name Use
Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

AndroidOS/MalLocker.B has registered to receive 14 different broadcast intents for automatically triggering malware payloads. [1]

Mobile T1629 .002 Impair Defenses: Device Lockout

AndroidOS/MalLocker.B can prevent the user from interacting with the UI by using a carefully crafted "call" notification screen. This is coupled with overriding the onUserLeaveHint() callback method to spawn a new notification instance when the current one is dismissed. [1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

AndroidOS/MalLocker.B has masqueraded as popular apps, cracked games, and video players. [1]

Mobile T1406 Obfuscated Files or Information

AndroidOS/MalLocker.B has employed both name mangling and meaningless variable names in source. AndroidOS/MalLocker.B has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. [1]