Written by Sean Lyngaas

Mobile ransomware scams — in which crooks lock your phone and demand money — are nothing new. But they are getting more clever as cybercriminals find new ways to circumvent security.

The latest example is a ransomware scheme targeting Android phones that Microsoft made public Thursday. According to the research, the malicious code gets around security checks that Google, which owns Android, has instituted against previous ransomware kits.

Instead of abusing a permission feature that controls what apps can do on the phone, as other mobile ransomware scams have, this one triggers an incoming call notice to display the ransom note. It’s “the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop,” Dinesh Venkatesan, a Microsoft researcher, wrote in a blog.

Mobile ransomware generally isn’t as profitable as ransomware attacks on PCs or enterprise networks. But Allan Liska, an analyst at threat intelligence company Recorded Future, said phone-focused ransomware can still be effective.

Ransomware campaigns against mobile devices have stumbled over the last couple of years compared to their network counterparts,” Liska said. “This new evolution in Android ransomware shows that it can still be dangerous. The techniques this actor is using are borrowed from other successful Android malware campaigns.”

Some old tricks with the new

As with other mobile ransomware schemes, the attackers are locking access to the phone rather than encrypting data on the device, said Tanmay Ganacharya, lead of the Microsoft Defender Research team.

“Considering the limited compute power on mobile devices. performing operations like encryption can be very costly and could cause the device to freeze which can be easily noticed by the user,” Ganacharya said.

Ganacharya said the attackers, who are Russian speakers targeting other Russian speakers, have been demanding on average just 1000 rubles, or $13, to unlock the phone. It’s not clear who exactly is behind the scheme, or how successful it has been. Mobile users can generally reset their phones if they don’t want to pay a ransom.

While innovative in some ways, the newly revealed Android ransomware is conventional in others.

It borrows an age-old tactic of impersonating law enforcement and accusing the victim of heinous crimes to demand payment. A ransom note that came with a previous version of the malicious code accuses the mobile user of watching child pornography. If no payment is received, the attackers claim the user will be prosecuted.

That follows a separate scheme, reported in April by security company Check Point, in which Russian-speaking hackers were trying to shake down Android users by claiming to report them to the FBI for possessing pornography. The FBI has previously warned the public that ransomware actors have impersonated the bureau.