A newly-found Android attack method for ransomware has been revealed in the form of an almost silent exploit kit. It threatens phones, tablets and set-top video streaming devices alike, though while the attack vector is brand-new, the payload turns out to be old-school, hearkening back to pre-crypto “scareware” tactics.
Blue Coat Labs claims that the EK uses several vulnerabilities to install malware onto the victim’s phone or tablet in the background, without any user interaction at all on the part of the victim. During the attack, the infected device did not display the normal “application permissions” dialog box which usually precedes the installation of an Android application.
The exploits are commoditized implementations of the leaked Hacking Team and the Towelroot fare.
“After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach,” stated the Blue Coat researcher Andrew Brandt.
“Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the ‘futex’ or ‘Towelroot’ exploit that was first disclosed at the end of 2014… The ELF payload in turn contains code that downloads and installs an Android .apk application – which is a ransomware Trojan.”
The ransomware is named Cyber.Police and it is a version of older, pre-cryptographic ransomware families. Cyber.Police presents itself as a sort of law enforcement or intelligence agency intervention into browsing habits. The ransomware doesn’t threaten to encrypt the victim’s data. Instead, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes.
“That’s unusual because it’s far more common nowadays for ransomware to demand non-trackable cryptocurrency, like Bitcoins,” Brandt stated.
“In theory, it might be possible for Apple (or its iTunes gift card partners) to track who used the gift cards provided to the criminals, which may help investigators identify them.”
The lab device, an older Samsung tablet, was running the Cyanogenmod 10 version of Android 4.2.2 at the time it was infected. Though, the researcher warned that over-the-top video players running Android are also at risk.
“Older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity,” Brandt explained.
“That includes so-called media player devices – basically inexpensive, Android-driven video playback devices meant to be connected to TVs – many of which run the 4.x branch of the Android OS. Some of these older Android devices are now in the same situation as PCs running Windows XP: The OS may still work, despite no longer receiving updates, but using it constitutes a serious risk of infection.”
Most probably, the attack has been going on since February 22 or even before, and it has affected at least 224 unique device models running a range of Android versions between 4.0.3 and 4.4.4.
When it comes to ransomware in general, the best way to defeat the hackers is to keep a backup of your photos, videos, and other data files somewhere other than on your phone or tablet’s internal memory or memory card. In this way PC users can perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall a mobile device’s apps. Besides, using an up-to-date web browser is highly recommended.
