Android Ransomware Dropped via Towelroot, Hacking Team Exploits

A new piece of Android ransomware is being delivered via a two known exploits without requiring interaction from the victims.

According to researchers at Blue Coat Labs, this new mobile threat is different from most crypto-ransomware making the rounds these days, but its delivery method is surprising. In fact, Blue Coat Labs’ Andrew Brandt believes this is the first time an exploit kit has been able to install a malicious program on a mobile device without user interaction.

The ransomware was automatically installed on a test device when accessing a web page with a malicious advertisements containing JavaScript code. The handset was running an older Android version and researchers discovered that the JavaScript contained an exploit leaked during the Hacking Team breach, while the payload includes code for the futex/Towelroot exploit discovered in 2014.

Brandt explains that Joshua Drake from mobile security solutions provider Zimperium has confirmed that the attack, which prevented the device from displaying the normal “application permissions” dialog box, was using the Hacking Team’s exploit against libxslt. The payload was a Linux ELF executable called module.so, which included the code for the Towelroot exploit.

The malware labels itself “Cyber.Police” (its internal name is net.prospectus) and resembles older, pre-cryptographic ransomware families: it locks the device, prevents all other applications from launching, and sets itself to start first at boot.

The malware also displays a notification prompting the user to pay a ransom to regain access to the device. Supposedly coming from the “American national security agency” or “Nation security agency,” the notification informs users they need to pay the ransom in the form of two $100 Apple iTunes gift card codes.

According to Blue Coat Labs, the ransomware was observed on a device running the Cyanogenmod 10 version of Android 4.2.2. However, researchers discovered that at least 224 unique device models running Android versions between 4.0.3 and 4.4.4 communicated the malware’s command and control (C&C) server since February 22.

They also note that some of these are known not to be vulnerable to the Hacking Team libxlst exploit, which means that attackers might have been targeting other vulnerabilities as well to ensure they can infect as many devices as possible.

Researchers also note that, although an infected device is locked, users might be able to connect it to a computer and retrieve their unmodified documents, photos, and other files from both the device’s internal memory and storage card(s) that may be installed. They also discovered that the malware could survive an operating system flashing, although it would be removed during factory reset.

Related: Malicious Insiders Could Tap Ransomware-as-a-Service for Profit

Related: Ransomware: A Formidable Enterprise Threat