Andrew Brandt, a security researcher at Blue Coat, has revealed a new ransomware targeting older Android devices delivered through an exploit kit called Towelroot.
It is believed that this is the first time Towelroot has been used in an exploit kit, and the first time an exploit kit has been able to successfully install malicious apps on a mobile device silently without any user interaction.
Brandt says older Androids can be hijacked with persistent ads that force victims to buy US$200 worth of iTunes gift cards. Brandt considers the spam as ransomware since it traps infected Androids in a locked screen state until victims buy attackers gift cards which would presumably be later flipped for cash.
A majority of Android devices run older versions of the OS that lack the security improvements present in the more recent Lollipop and Marshmallow releases.
Blue Coat Labs discovered the attack method when a test Android device in a lab environment was hit with the ransomware, following an advertisement containing hostile Javascript being loaded from a web page.
Some of the key elements to this attack include:
- Silent but violent: During the attack, the device did not display the normal “application permissions†dialog box that typically precedes installation of an Android application.
- Payment by iTunes vouchers: The ransomware doesn’t threaten to encrypt the victim’s data. Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes.
- App killer: The malware’s internal name for itself is “net.prospectus†and engages in the sorts of behaviour expected from ransomware such as: it kills all other apps, prevents other apps from launching or stops the ransomware.
- Prevention: To get rid of the ransomware users are advised to backup their data and restore device settings back to factory mode.
Brandt says attackers, have since at least February, used an exploit leaked in the Hacking Team breach and the 2014 TowelRoot exploit to deliver the ransomware without interaction.
Brandt said,
“This is the first time to my knowledge an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction,”ÂÂ
“During the attack, the device did not display the normal application permissions dialog box that typically precedes installation of an Android application.
“In theory, it might be possible for Apple – or its iTunes gift card partners – to track who used the gift cards provided to the criminals, which may help investigators identify them.”
Further analysis, with help from researchers at Zimperium, revealed that the ad contained JavaScript code that exploited a known vulnerability in libxslt. This libxslt exploit was among the files leaked last year from surveillance software maker Hacking Team.
If successful, the exploit drops an ELF executable named module.so on the device that in turn exploits another vulnerability to gain root access — the highest privilege on the system. The root exploit used by module.so is known as Towelroot and was published in 2014.
After the device is compromised, Towelroot downloads and silently installs an APK file that’s actually a ransomware program called Dogspectus or Cyber.Police.
This application does not encrypt user files, like other ransomware programs do these days. Instead, it displays a fake warning, allegedly from law enforcement agencies, saying illegal activity was detected on the device and the owner needs to pay a fine.
The application blocks victims from doing anything else on the device until they pay up or perform a factory reset. The second option will wipe all files from the device, so its best to connect the device to a computer and save them first.
The attack targets the 4.x branch of Android, and Blue Coat says at least 224 devices communicated with the servers running the Ransomware campaign. All of them were running Android versions with a range between 4.0.3 and 4.4.4. Android devices on the 5.x or 6.x branch are not affected, Blue Coat says.
“The commoditized implementation of the Hacking Team and Towelroot exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences,” Brandt said.
“The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity.”
It does not matter if the device is rooted or not, Brandt added, as Towelroot itself is an exploit that can be used for local privilege escalation. Also, the malware used for this campaign was delivered via a malicious ad, so there is no action required on the victim’s part other than to use the device as normal.
For devices infected by this campaign, Blue Coat discovered that an infected device could be connected to a computer, which enables retrieval of documents, images, music, etc. However, the infection remained after installing a newer build of Android over an infected version. A factory reset will clear the infection at the cost of deleting installed applications.
“As with other ransomware, the best way to defeat the criminals is to keep a backup of those precious photos, videos, and other data files somewhere other than on your phone or tablet’s internal memory or memory card. That way, you can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall your mobile device’s apps,”
Blue Coat examined the malware on a device running the custom Cyanogenmod 10 build of the Android 4.2.2 operating system.
You can read the full blog post from Andrew here.