Connect with us

Hi, what are you looking for?


Malware & Threats

Android Ransomware Dropped via Towelroot, Hacking Team Exploits

A new piece of Android ransomware is being delivered via a two known exploits without requiring interaction from the victims.

A new piece of Android ransomware is being delivered via a two known exploits without requiring interaction from the victims.

According to researchers at Blue Coat Labs, this new mobile threat is different from most crypto-ransomware making the rounds these days, but its delivery method is surprising. In fact, Blue Coat Labs’ Andrew Brandt believes this is the first time an exploit kit has been able to install a malicious program on a mobile device without user interaction.

The ransomware was automatically installed on a test device when accessing a web page with a malicious advertisements containing JavaScript code. The handset was running an older Android version and researchers discovered that the JavaScript contained an exploit leaked during the Hacking Team breach, while the payload includes code for the futex/Towelroot exploit discovered in 2014.

Brandt explains that Joshua Drake from mobile security solutions provider Zimperium has confirmed that the attack, which prevented the device from displaying the normal “application permissions” dialog box, was using the Hacking Team’s exploit against libxslt. The payload was a Linux ELF executable called, which included the code for the Towelroot exploit.

The malware labels itself “Cyber.Police” (its internal name is net.prospectus) and resembles older, pre-cryptographic ransomware families: it locks the device, prevents all other applications from launching, and sets itself to start first at boot.

The malware also displays a notification prompting the user to pay a ransom to regain access to the device. Supposedly coming from the “American national security agency” or “Nation security agency,” the notification informs users they need to pay the ransom in the form of two $100 Apple iTunes gift card codes.

According to Blue Coat Labs, the ransomware was observed on a device running the Cyanogenmod 10 version of Android 4.2.2. However, researchers discovered that at least 224 unique device models running Android versions between 4.0.3 and 4.4.4 communicated the malware’s command and control (C&C) server since February 22.

Advertisement. Scroll to continue reading.

They also note that some of these are known not to be vulnerable to the Hacking Team libxlst exploit, which means that attackers might have been targeting other vulnerabilities as well to ensure they can infect as many devices as possible.

Researchers also note that, although an infected device is locked, users might be able to connect it to a computer and retrieve their unmodified documents, photos, and other files from both the device’s internal memory and storage card(s) that may be installed. They also discovered that the malware could survive an operating system flashing, although it would be removed during factory reset.

Related: Malicious Insiders Could Tap Ransomware-as-a-Service for Profit

Related: Ransomware: A Formidable Enterprise Threat

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...