In Android, apps aren’t supposed to be able to interfere with the normal behavior of other apps or the device itself. But ransomware is notorious for taking over other apps and encrypting data, and it can even block the uninstall command. It’s been a long-standing problem for Google’s Android mobile operating system.
“Ransomware does everything opposite of what the Android security model says apps should do,” says Android security team malware analyst Elena Kovakina. Google is tackling the ransomware problem on Android by beefing up app protections, deprecating certain APIs, and removing functionality, she says. Google has made antimalware improvements in the current Android Nougat, and more are slated for the forthcoming Android O.
Ransomware isn’t as big of a threat on mobile devices as it has been on the desktop, but it does exist. Kovakina notes that Google tracked 30 Android ransomware families in the wild and collected 50,000 samples to learn how the malware behaved, what kind of API calls it abused, and what operating system processes it targeted.
Android ransomware variants tend to target older operating system versions; Cyber.Police, for example, exploited Android Ice Cream Sandwich, Jelly Bean, and KitKat devices a year ago. The malware locked up the devices’ home screens and demanded Apple iTunes gift cards in exchange for the decryption key to unlock the phones.
Victims of mobile ransomware have a guaranteed recovery method that’s not available to desktop victims: the factory reset. Users who regularly back up files and important settings minimize data loss as a result of the malware encrypting the data or from a device reset. The Android security team has not yet encountered any ransomware samples capable of encrypting Google’s cloud backup, Kovakina says, and “we haven’t yet seen ransomware that can survive factory reset.”
Google’s past actions: Deprecate, remove functionality
In the past, Google tackled the ransomware problem by deprecating API calls used by the malware. For example, DeviceAdmin, which asks the user to grant the app administrator privileges, was being abused by 70 percent of ransomware to gain elevated privileges on the affected device. DeviceAdmin is typically used by security apps and mobile device management tools to get administrator privileges. Potentially harmful apps or malware would repeatedly display the DeviceAdmin prompt, in hopes of annoying the user into granting the app administrator privileges, essentially creating a denial-of-service condition against the user interface.
The security team addressed this particular issue by changing the DeviceAdmin prompt in Android Nougat to include an obvious option to uninstall the app engaging in this kind of behavior.
In another tactic, malware that popped up activity windows as persistent overlays while other apps were running were abusing the getRunningTasks method in the Activity Manager, which lets apps find out what other tasks are running on Android. This method was deprecated in API level 21, and as of Android Lollipop, it’s no longer available to third-party apps. Mobile developers who previously used getRunningTasks should now use oom_score, which requires going through the proc/ directory to find running apps. The hidepid function in Android Nougat controls who gets to use the information in the directory.
The security model in Android Nougat was also changed, so apps now need granular access to music, docs, and photos to reduce potential damage from encryption.
New defenses coming in Android O
The developer preview of Android O was released March 21, and the API is “getting a complete overhaul,” Kovakina says.
To control what kind of windows can be displayed above other apps, apps using the O SDK will no longer be allowed to use the window types TYPE_PHONE, TYPE_PRIORITY_PHONE, TYPE_SYSTEM_ALERT, TYPE_SYSTEM_OVERLAY, or TYPE_SYSTEM_ERROR. Instead, developers will have to use the new window type TYPE_APPLICATION_OVERLAY. Apps using older SDK versions can still use those window types, but their windows will be z-ordered below the new TYPE_APPLICATION_OVERLAY windows. An ongoing low-priority notification is displayed in the window for all apps using the SYSTEM_ALERT_WINDOW permission, regardless of whether it’s using the new window type or one of the older ones.
All alert windows will be z-ordered below critical system windows like the lockscreen or the status bar. This means users will always be able to switch away from the alert windows.
Google will keep tinkering
There is a bit of a cat-and-mouse game being played. Many of the system improvements seen in latest versions of Android were inspired by a type of malware that successfully executed on a device. Malware creators will look for new tricks as Google addresses their current ones.
Google’s aim is to make it more difficult and costlier for attackers to build mobile malware. Kovakina acknowledges that users don’t always have the latest version, which is why Google has beefed up its Verify Apps tool’s ability to detect ransomware in the Google Play Store. Instead of warning of ransomware, Verify Apps now blocks suspected ransomware apps.