S0524 AndroidOS/MalLocker.B
AndroidOS/MalLocker.B is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. 1
| Item | Value |
|---|---|
| ID | S0524 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 October 2020 |
| Last Modified | 29 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | AndroidOS/MalLocker.B has registered to receive 14 different broadcast intents for automatically triggering malware payloads. 1 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.002 | Device Lockout | AndroidOS/MalLocker.B can prevent the user from interacting with the UI by using a carefully crafted “call” notification screen. This is coupled with overriding the onUserLeaveHint() callback method to spawn a new notification instance when the current one is dismissed. 1 |
| mobile | T1406 | Obfuscated Files or Information | AndroidOS/MalLocker.B has employed both name mangling and meaningless variable names in source. AndroidOS/MalLocker.B has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. 1 |