Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2016
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Dogspectus' Breaks New Ground For Android Ransomware

Blue Coat says it's the first Android ransomware that installs without user interaction

Malware writers appear to have broken new ground with ‘Dogspectus’ a ransomware sample that infects smartphones and tablets running certain older versions of Android, via drive by download.

Unlike other mobile ransomware tools, Dogspectus does not require users to interact with it in any way in order to infect a device. Rather, the malware takes advantage of several vulnerabilities in Android versions 4.x to install itself silently on a user’s device.

The malware is contained in an exploit kit served up through malicious advertisements on several porn sites says Andrew Brandt, director of threat research at Blue Coat Systems, which disclosed details of the threat in an advisory this week.

The malware does not encrypt data like other ransomware tools. Instead it basically locks up an infected device and prevents the user from carrying out any function other than paying up a ransom to unlock it. In this case, the ransom is in the form of two, $100 Apple iTunes gift cards.

Users at risk are those who have mobile devices running Android 4.x , using the built in browser app that originally shipped with the device—and visiting porn sites with the malicious ads, Brandt said in comments to Dark Reading.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Blue Coat said it discovered the ransomware when a test Android device in its possession became infected via a malicious advertisement served up from a website. According to the company, what makes Dogspectus interesting is the manner in which the malware infiltrates vulnerable devices.

The malicious Javascript that is used to launch the attack leverages an exploit developed by Italian surveillance firm Hacking Team that was publicly leaked last year following a data breach at the company.

The Hacking Team exploit delivers a malicious file on the device, which then profiles the device and sends the information to a remote command and control server. The CnC server in turn downloads an Android application package and installs it as root on the compromised device using a previously known exploit known as Towelroot.  It is this package that contains Dogspectcus.

Brandt says it takes just ten seconds from the moment the porn page is loaded to when the exploit kit completes its work and delivers the first malware to the device.

Following initial discovery of the threat, Blue Coat conducted a broader analysis and discovered that a whole network of domains has been involved in similar attacks since at least mid-February and in some cases even longer. The analysis shows that at least 224 Android device models running Android versions ranging from 4.0.3 and 4.4.4 have communicated with the command and control servers in the past few months, Blue Coat said.

The Hacking Team exploit itself is known to work only on Android versions 4.3, and before. So the fact that devices running Android 4.4.x were also infected suggests that the malware authors are exploiting other Android vulnerabilities as well, the security firm said.

Finding the source of the infection has been challenging because of the measures the malware authors have taken to hide their tracks. Blue Coat’s analysis showed that “there were six redirections in the seven seconds between when the porn site loaded its first page, and the exploit began to run,” Brandt says.

The malicious advertising domains being used to serve up the exploit kits also use new “weird” top-level domains like .pw, .xyx and .me.  “The operators of new [top-level domains] have a major problem deflecting criminals from using their services,” he says.

Because the ransomware does not encrypt data, Brandt says he was able to recover the contents of the infected Blue Coat test device by connecting it to a laptop, mounting it as a USB drive and copying everything off internal storage. “The ransomware and [initial executable] were both deleted from the device when I performed a factory reset and wiped everything off the device," he adds.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/27/2016 | 1:25:46 PM
General Progression
This seems to be the general progression (taking advantage of vulnerabilities instead of user interaction). Cisco speculates that the next step for ransomware progression is for ransomware to behave like a worm.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14629
PUBLISHED: 2020-01-17
Improper permissions in Intel(R) DAAL before version 2020 Gold may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2019-17125
PUBLISHED: 2020-01-17
A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS.
CVE-2019-17127
PUBLISHED: 2020-01-17
A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege escalation.
CVE-2020-3940
PUBLISHED: 2020-01-17
VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability.
CVE-2020-6862
PUBLISHED: 2020-01-17
V6.0.10P2T2 and V6.0.10P2T5 of F6x2W product are impacted by Information leak vulnerability. Unauthorized users could log in directly to obtain page information without entering a verification code.