Malvertising: Exploit Kit pushes Ransomware to Android devices

Towelroot exploit, used alongside a leaked Hacking Team exploit, delivers Ransomware to Androids via compromised advertising

android figurine
Credit: Scott Akerman

It isn't Ransomware in the traditional sense, as there's no encryption, but Android devices are being targeted by malware that hijacks mobile advertisements to scam gift cards, researchers at Blue Coat Labs discovered.

The Ransomware, called Dogspectus by Blue Coat, holds the device in a locked state where it can't be used for anything other than to make payment. In this case, the demands are $200 in iTunes gift cards. Blue Coat Labs researchers discovered the attack after a tablet running CyanogenMod 10 / Android 4.2.2 viewed a malicious advertisement.

The malicious ad installed the payloads silently with no user interaction. This was possible because the Exploit Kit managing the campaign used a previously leaked Hacking Team exploit (lbxslt) to deliver an Android exploit (Towelroot), which in turn installs the Ransomware.

"This is the first time, to my knowledge, an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim," said Blue Coat's Andrew Brandt.

"The commoditized implementation of the Hacking Team and Towelroot exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences. The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity."

The attack targets the 4.x branch of Android, and Blue Coat says at least 224 devices communicated with the servers running the Ransomware campaign. All of them were running Android versions with a range between 4.0.3 and 4.4.4. Android devices on the 5.x or 6.x branch are not affected, Blue Coat says.

It does not matter if the device is rooted or not, Brandt added, as Towelroot itself is an exploit that can be used for local privilege escalation. Also, the malware used for this campaign was delivered via a malicious ad, so there is no action required on the victim's part other than to use the device as normal.

For devices infected by this campaign, Blue Coat discovered that an infected device could be connected to a computer, which enables retrieval of documents, images, music, etc. However, the infection remained after installing a newer build of Android over an infected version. A factory reset will clear the infection at the cost of deleting installed applications.

"As with other ransomware, the best way to defeat the criminals is to keep a backup of those precious photos, videos, and other data files somewhere other than on your phone or tablet's internal memory or memory card. That way, you can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall your mobile device's apps," Brandt.

Some opinion:

According to stats taken from devices running the latest version of the Google Play app, 59.6 percent of the Android devices in the hands of consumers are running version 4.4 or lower.

You can bet plenty of them are viewing websites and the ads running on them.

Ad blocking is a complex topic. Publishers depend on ads to pay bills, and in the early days on the Web, no one minded. Then the advertisers started collecting more data and keeping tabs on readers, which led to the development of ad blocking systems. Soon after, those who didn't block ads were caught in the crossfire when criminals leveraged ad platforms as a delivery mechanism for malware.

This latest campaign is a sign of things to come. As publishers turn towards ads on mobile platforms, the need for mobile ad blocking will become a priority.

On Android, you can install Ad Block Plus, and I encourage you to do so – but be warned – Ad Block Plus will whitelist some advertising platforms, which leaves you with few options and plenty of risks should those whitelisted platforms get hijacked.

Note: When I wrote in the opening sentence that this isn't Ransomware in the traditional sense, that's because most people will hear the term and assume encryption. Originally, this was how the malware operated. Lock the system, prevent access, demand gift cards or other tangible good. People found ways around that though, so criminals then started encrypting files.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.