Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2016
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Dogspectus' Breaks New Ground For Android Ransomware

Blue Coat says it's the first Android ransomware that installs without user interaction

Malware writers appear to have broken new ground with ‘Dogspectus’ a ransomware sample that infects smartphones and tablets running certain older versions of Android, via drive by download.

Unlike other mobile ransomware tools, Dogspectus does not require users to interact with it in any way in order to infect a device. Rather, the malware takes advantage of several vulnerabilities in Android versions 4.x to install itself silently on a user’s device.

The malware is contained in an exploit kit served up through malicious advertisements on several porn sites says Andrew Brandt, director of threat research at Blue Coat Systems, which disclosed details of the threat in an advisory this week.

The malware does not encrypt data like other ransomware tools. Instead it basically locks up an infected device and prevents the user from carrying out any function other than paying up a ransom to unlock it. In this case, the ransom is in the form of two, $100 Apple iTunes gift cards.

Users at risk are those who have mobile devices running Android 4.x , using the built in browser app that originally shipped with the device—and visiting porn sites with the malicious ads, Brandt said in comments to Dark Reading.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Blue Coat said it discovered the ransomware when a test Android device in its possession became infected via a malicious advertisement served up from a website. According to the company, what makes Dogspectus interesting is the manner in which the malware infiltrates vulnerable devices.

The malicious Javascript that is used to launch the attack leverages an exploit developed by Italian surveillance firm Hacking Team that was publicly leaked last year following a data breach at the company.

The Hacking Team exploit delivers a malicious file on the device, which then profiles the device and sends the information to a remote command and control server. The CnC server in turn downloads an Android application package and installs it as root on the compromised device using a previously known exploit known as Towelroot.  It is this package that contains Dogspectcus.

Brandt says it takes just ten seconds from the moment the porn page is loaded to when the exploit kit completes its work and delivers the first malware to the device.

Following initial discovery of the threat, Blue Coat conducted a broader analysis and discovered that a whole network of domains has been involved in similar attacks since at least mid-February and in some cases even longer. The analysis shows that at least 224 Android device models running Android versions ranging from 4.0.3 and 4.4.4 have communicated with the command and control servers in the past few months, Blue Coat said.

The Hacking Team exploit itself is known to work only on Android versions 4.3, and before. So the fact that devices running Android 4.4.x were also infected suggests that the malware authors are exploiting other Android vulnerabilities as well, the security firm said.

Finding the source of the infection has been challenging because of the measures the malware authors have taken to hide their tracks. Blue Coat’s analysis showed that “there were six redirections in the seven seconds between when the porn site loaded its first page, and the exploit began to run,” Brandt says.

The malicious advertising domains being used to serve up the exploit kits also use new “weird” top-level domains like .pw, .xyx and .me.  “The operators of new [top-level domains] have a major problem deflecting criminals from using their services,” he says.

Because the ransomware does not encrypt data, Brandt says he was able to recover the contents of the infected Blue Coat test device by connecting it to a laptop, mounting it as a USB drive and copying everything off internal storage. “The ransomware and [initial executable] were both deleted from the device when I performed a factory reset and wiped everything off the device," he adds.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/27/2016 | 1:25:46 PM
General Progression
This seems to be the general progression (taking advantage of vulnerabilities instead of user interaction). Cisco speculates that the next step for ransomware progression is for ransomware to behave like a worm.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19274
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
CVE-2021-30211
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.
CVE-2021-30212
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/documentnotes/saveNote' via the 'nota' parameter.
CVE-2021-30213
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to unauthenticated reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in '/servlet/AdapterHTTP' via the 'targetService' parameter.
CVE-2021-30214
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection in '/knowage/restful-services/signup/update' via the 'name' parameter.