Microsoft Warns of Android Ransomware Abusing Notification Services


Level 69
Content Creator
Malware Hunter
Aug 17, 2014
Microsoft warned users on Thursday that it has spotted a sophisticated piece of Android ransomware that abuses notification services to display a ransom note.

Android ransomware typically allows cybercriminals to make a profit not by encrypting files — such as in the case of ransomware targeting desktop systems — but by displaying a full-screen ransom note that is difficult for the user to remove.

Microsoft says this particular Android ransomware family has been around for a while and its developers have continued to make improvements. Previous variants of the malware abused Android accessibility features or system alert windows to display the ransom note. However, Google has been taking steps to prevent abuse of these features, and some methods used by attackers can be easily spotted or bypassed by the victim.

In an effort to increase its chances of success, the latest version of the Android ransomware, which Microsoft tracks as AndroidOS/MalLocker.B, uses a new technique to display the ransom note and make it more difficult to remove. The ransomware note is usually a fake police notice informing the victim that explicit images had been found on their device and instructing them to pay a fine within 24 hours.
Microsoft has published a blog post with technical details on how the malware works and how organizations can protect themselves against such threats.


Staff member
Malware Hunter
Jul 27, 2015
Microsoft says that it sees the ransomware mostly being distributed by attackers in online forums and through random webpages rather than official channels. They typically market the malware by making it look like other popular apps, video players, or games to entice downloads. And though there have been some early examples of iOS ransomware, this is still far less common—similar to how Mac ransomware is still relatively rare. Microsoft shared the research with Google prior to publication, and Google emphasized to WIRED that the ransomware was not found in its Play Store.