Skip to content

S0524 AndroidOS/MalLocker.B

AndroidOS/MalLocker.B is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. 1

Item Value
ID S0524
Associated Names
Version 1.0
Created 29 October 2020
Last Modified 29 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers AndroidOS/MalLocker.B has registered to receive 14 different broadcast intents for automatically triggering malware payloads. 1
mobile T1629 Impair Defenses -
mobile T1629.002 Device Lockout AndroidOS/MalLocker.B can prevent the user from interacting with the UI by using a carefully crafted “call” notification screen. This is coupled with overriding the onUserLeaveHint() callback method to spawn a new notification instance when the current one is dismissed. 1
mobile T1406 Obfuscated Files or Information AndroidOS/MalLocker.B has employed both name mangling and meaningless variable names in source. AndroidOS/MalLocker.B has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. 1