FireEye cybersecurity experts: The malware uses cookie headers to pass values to the C2 and can select referrers from a list of popular websites.
Microsoft: There is a new Android ransomware, AndroidOS/MalLocker.B. The malware doesn’t encrypt the files. It blocks access to device by displaying a screen with the ransom note that appears over every other window
Cybercrime actors are evolving their TTPs to spread ransomware via Android smartphones. Microsoft cybersecurity experts discovered a piece of a particularly sophisticated malware with novel techniques and behavior, named AndroidOS/MalLocker.B. This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players. The new variant it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions. As with most Android ransomware, this new threat doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else. The screen is the ransom note, which contains threats and instructions to pay the ransom.