Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Ransomware Dropped via Towelroot, Hacking Team Exploits

A new piece of Android ransomware is being delivered via a two known exploits without requiring interaction from the victims.

A new piece of Android ransomware is being delivered via a two known exploits without requiring interaction from the victims.

According to researchers at Blue Coat Labs, this new mobile threat is different from most crypto-ransomware making the rounds these days, but its delivery method is surprising. In fact, Blue Coat Labs’ Andrew Brandt believes this is the first time an exploit kit has been able to install a malicious program on a mobile device without user interaction.

The ransomware was automatically installed on a test device when accessing a web page with a malicious advertisements containing JavaScript code. The handset was running an older Android version and researchers discovered that the JavaScript contained an exploit leaked during the Hacking Team breach, while the payload includes code for the futex/Towelroot exploit discovered in 2014.

Brandt explains that Joshua Drake from mobile security solutions provider Zimperium has confirmed that the attack, which prevented the device from displaying the normal “application permissions” dialog box, was using the Hacking Team’s exploit against libxslt. The payload was a Linux ELF executable called module.so, which included the code for the Towelroot exploit.

The malware labels itself “Cyber.Police” (its internal name is net.prospectus) and resembles older, pre-cryptographic ransomware families: it locks the device, prevents all other applications from launching, and sets itself to start first at boot.

The malware also displays a notification prompting the user to pay a ransom to regain access to the device. Supposedly coming from the “American national security agency” or “Nation security agency,” the notification informs users they need to pay the ransom in the form of two $100 Apple iTunes gift card codes.

According to Blue Coat Labs, the ransomware was observed on a device running the Cyanogenmod 10 version of Android 4.2.2. However, researchers discovered that at least 224 unique device models running Android versions between 4.0.3 and 4.4.4 communicated the malware’s command and control (C&C) server since February 22.

They also note that some of these are known not to be vulnerable to the Hacking Team libxlst exploit, which means that attackers might have been targeting other vulnerabilities as well to ensure they can infect as many devices as possible.

Advertisement. Scroll to continue reading.

Researchers also note that, although an infected device is locked, users might be able to connect it to a computer and retrieve their unmodified documents, photos, and other files from both the device’s internal memory and storage card(s) that may be installed. They also discovered that the malware could survive an operating system flashing, although it would be removed during factory reset.

Related: Malicious Insiders Could Tap Ransomware-as-a-Service for Profit

Related: Ransomware: A Formidable Enterprise Threat

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.