Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2016
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Dogspectus' Breaks New Ground For Android Ransomware

Blue Coat says it's the first Android ransomware that installs without user interaction

Malware writers appear to have broken new ground with ‘Dogspectus’ a ransomware sample that infects smartphones and tablets running certain older versions of Android, via drive by download.

Unlike other mobile ransomware tools, Dogspectus does not require users to interact with it in any way in order to infect a device. Rather, the malware takes advantage of several vulnerabilities in Android versions 4.x to install itself silently on a user’s device.

The malware is contained in an exploit kit served up through malicious advertisements on several porn sites says Andrew Brandt, director of threat research at Blue Coat Systems, which disclosed details of the threat in an advisory this week.

The malware does not encrypt data like other ransomware tools. Instead it basically locks up an infected device and prevents the user from carrying out any function other than paying up a ransom to unlock it. In this case, the ransom is in the form of two, $100 Apple iTunes gift cards.

Users at risk are those who have mobile devices running Android 4.x , using the built in browser app that originally shipped with the device—and visiting porn sites with the malicious ads, Brandt said in comments to Dark Reading.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Blue Coat said it discovered the ransomware when a test Android device in its possession became infected via a malicious advertisement served up from a website. According to the company, what makes Dogspectus interesting is the manner in which the malware infiltrates vulnerable devices.

The malicious Javascript that is used to launch the attack leverages an exploit developed by Italian surveillance firm Hacking Team that was publicly leaked last year following a data breach at the company.

The Hacking Team exploit delivers a malicious file on the device, which then profiles the device and sends the information to a remote command and control server. The CnC server in turn downloads an Android application package and installs it as root on the compromised device using a previously known exploit known as Towelroot.  It is this package that contains Dogspectcus.

Brandt says it takes just ten seconds from the moment the porn page is loaded to when the exploit kit completes its work and delivers the first malware to the device.

Following initial discovery of the threat, Blue Coat conducted a broader analysis and discovered that a whole network of domains has been involved in similar attacks since at least mid-February and in some cases even longer. The analysis shows that at least 224 Android device models running Android versions ranging from 4.0.3 and 4.4.4 have communicated with the command and control servers in the past few months, Blue Coat said.

The Hacking Team exploit itself is known to work only on Android versions 4.3, and before. So the fact that devices running Android 4.4.x were also infected suggests that the malware authors are exploiting other Android vulnerabilities as well, the security firm said.

Finding the source of the infection has been challenging because of the measures the malware authors have taken to hide their tracks. Blue Coat’s analysis showed that “there were six redirections in the seven seconds between when the porn site loaded its first page, and the exploit began to run,” Brandt says.

The malicious advertising domains being used to serve up the exploit kits also use new “weird” top-level domains like .pw, .xyx and .me.  “The operators of new [top-level domains] have a major problem deflecting criminals from using their services,” he says.

Because the ransomware does not encrypt data, Brandt says he was able to recover the contents of the infected Blue Coat test device by connecting it to a laptop, mounting it as a USB drive and copying everything off internal storage. “The ransomware and [initial executable] were both deleted from the device when I performed a factory reset and wiped everything off the device," he adds.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/27/2016 | 1:25:46 PM
General Progression
This seems to be the general progression (taking advantage of vulnerabilities instead of user interaction). Cisco speculates that the next step for ransomware progression is for ransomware to behave like a worm.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.