Old-School Android Ransomware Gets New-School Attack Vector

A novel Android attack method for ransomware has been unearthed in the form of an almost silent exploit kit—which threatens tablets, phones and set-top video streaming devices alike. But while the attack vector appears to be brand-new, the payload is decidedly old-school, hearkening back to pre-crypto "scareware" tactics.

According to Blue Coat Labs, the EK is using several vulnerabilities to install malware onto the victim's phone or tablet in the background—without any user interaction at all on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that typically precedes installation of an Android application.

The exploits are commoditized implementations of leaked Hacking Team and Towelroot fare.

“After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach,” said Blue Coat researcher Andrew Brandt, in an analysis. “Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the ‘futex’ or ‘Towelroot’ exploit that was first disclosed at the end of 2014….The ELF payload in turn contains code that downloads and installs an Android .apk application—which is a ransomware Trojan.”

The ransomware labels itself Cyber.Police, and is a version of older, pre-cryptographic ransomware families. It presents itself as a sort of law enforcement or intelligence agency intervention into browsing habits. The ransomware doesn't threaten to (or actually) encrypt the victim's data.  Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes.

“That's unusual because it's far more common nowadays for ransomware to demand non-trackable cryptocurrency, like Bitcoins,” Brandt said. “In theory, it might be possible for Apple (or its iTunes gift card partners) to track who used the gift cards provided to the criminals, which may help investigators identify them.”

The lab device, an older Samsung tablet, was running the Cyanogenmod 10 version of Android 4.2.2 at the time it was infected. But the researcher cautioned that over-the-top video players running Android are also at risk.

“Older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity,” Brandt said. “That includes so-called media player devices—basically inexpensive, Android-driven video playback devices meant to be connected to TVs—many of which run the 4.x branch of the Android OS. Some of these older Android devices are now in the same situation as PCs running Windows XP: The OS may still work, despite no longer receiving updates, but using it constitutes a serious risk of infection.”

The attack, which has been going on at least since February 22 and possibly before, appears to affect at least 224 unique device models running a range of Android versions between 4.0.3 and 4.4.4.

As with other ransomware, the best way to defeat the criminals is to keep a backup of those precious photos, videos, and other data files somewhere other than on your phone or tablet's internal memory or memory card. That way, users can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall a mobile device's apps. Using a more up-to-date browser than the built-in browser app included with Android 4.x devices is also highly recommended.

Photo © dizain

What’s Hot on Infosecurity Magazine?