Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2016
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Dogspectus' Breaks New Ground For Android Ransomware

Blue Coat says it's the first Android ransomware that installs without user interaction

Malware writers appear to have broken new ground with ‘Dogspectus’ a ransomware sample that infects smartphones and tablets running certain older versions of Android, via drive by download.

Unlike other mobile ransomware tools, Dogspectus does not require users to interact with it in any way in order to infect a device. Rather, the malware takes advantage of several vulnerabilities in Android versions 4.x to install itself silently on a user’s device.

The malware is contained in an exploit kit served up through malicious advertisements on several porn sites says Andrew Brandt, director of threat research at Blue Coat Systems, which disclosed details of the threat in an advisory this week.

The malware does not encrypt data like other ransomware tools. Instead it basically locks up an infected device and prevents the user from carrying out any function other than paying up a ransom to unlock it. In this case, the ransom is in the form of two, $100 Apple iTunes gift cards.

Users at risk are those who have mobile devices running Android 4.x , using the built in browser app that originally shipped with the device—and visiting porn sites with the malicious ads, Brandt said in comments to Dark Reading.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Blue Coat said it discovered the ransomware when a test Android device in its possession became infected via a malicious advertisement served up from a website. According to the company, what makes Dogspectus interesting is the manner in which the malware infiltrates vulnerable devices.

The malicious Javascript that is used to launch the attack leverages an exploit developed by Italian surveillance firm Hacking Team that was publicly leaked last year following a data breach at the company.

The Hacking Team exploit delivers a malicious file on the device, which then profiles the device and sends the information to a remote command and control server. The CnC server in turn downloads an Android application package and installs it as root on the compromised device using a previously known exploit known as Towelroot.  It is this package that contains Dogspectcus.

Brandt says it takes just ten seconds from the moment the porn page is loaded to when the exploit kit completes its work and delivers the first malware to the device.

Following initial discovery of the threat, Blue Coat conducted a broader analysis and discovered that a whole network of domains has been involved in similar attacks since at least mid-February and in some cases even longer. The analysis shows that at least 224 Android device models running Android versions ranging from 4.0.3 and 4.4.4 have communicated with the command and control servers in the past few months, Blue Coat said.

The Hacking Team exploit itself is known to work only on Android versions 4.3, and before. So the fact that devices running Android 4.4.x were also infected suggests that the malware authors are exploiting other Android vulnerabilities as well, the security firm said.

Finding the source of the infection has been challenging because of the measures the malware authors have taken to hide their tracks. Blue Coat’s analysis showed that “there were six redirections in the seven seconds between when the porn site loaded its first page, and the exploit began to run,” Brandt says.

The malicious advertising domains being used to serve up the exploit kits also use new “weird” top-level domains like .pw, .xyx and .me.  “The operators of new [top-level domains] have a major problem deflecting criminals from using their services,” he says.

Because the ransomware does not encrypt data, Brandt says he was able to recover the contents of the infected Blue Coat test device by connecting it to a laptop, mounting it as a USB drive and copying everything off internal storage. “The ransomware and [initial executable] were both deleted from the device when I performed a factory reset and wiped everything off the device," he adds.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/27/2016 | 1:25:46 PM
General Progression
This seems to be the general progression (taking advantage of vulnerabilities instead of user interaction). Cisco speculates that the next step for ransomware progression is for ransomware to behave like a worm.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...