This new trojan-ransomware for Android has been discovered by researchers at Blue Coat. It is one of the new variants that do not require user interaction to infect devices. The ransom demanded is $200 U.S payable by iTunes gift card.
The malware is delivered by malvertising (malicious ads) on websites compromised by hackers. In the frame of an innocent-looking advert lurks the hacker’s JavaScripted exploit kit which pro-actively injects the ransomware into the Android operating system. This method of delivering malware is becoming more usual in mobile devices. After installing, the user’s phone is locked completely apart from functions that allows only the $200 ransom (or ‘fine’) to be paid.
The ransomware element – Dogspectus – is a variant of a Cyber.Police ransomware dating from the end of 2014 which locks a device and states an illegal infringement has been carried out on it. A fake notice from a ‘law’ enforcement office states a fine has to be paid in order to get the device unlocked. This is supposedly to a ‘treasury account’ – though to be paid in gift tokens!!!
The researchers first detected the threat running on a tablet using CyanogenMod 10/ Android 4.2.2. Security experts from Zimperium later confirmed that it used the code exploit (a vulnerability) leaked in the Hacking Team data breach last year. It is thought to be the first instance of an exploit kit delivering mobile malware ‘hands-free’ – without any interaction from the user. Andrew Brandt from Blue Coat explains, ‘This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that normally comes before the installation of an Android application.’
Zimperium analyzed Dogspectus and found that it uses a vulnerability in the Android library (libxslt). This allows the attacker to download a LINUX ELF binary (called module.so).
The binary then uses a tool called Towelroot which works to get root access (privileges) in the device’s OS using a Linux flaw (this tool was released by hacker George Hotz in 2014).
Once root access is established, module.so downloads an APK (Android Application Package) which contains the ransomware. This is then installed, not needing user permission.
Analysts tracked traffic that the malware sent back to the hacker’s server from 224 different Android devices and models (smartphone and tablet) that were using v4.0.3 and 4.4.4. As the lowest officially supported Android version is 4.4.4, the hackers target users who haven’t upgraded. Some devices and versions have different levels of vulnerability to this Hacking Team exploit, though it is inevitable that different entry routes will be employed to deliver Dogspectus.
Brandt recommends that if infected, the best way to remove Dogspectus is to restore the device to factory settings, first connecting to a PC to copy any personal data. The next thing to do is upgrade to the latest version of Android.
