Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Ransomware Can Infect Android Devices Without Any User Interaction
#1
Hacking Team and Towelroot exploits combined to deliver ransomware to Android devices via malvertising

Today, researchers have discovered a new mobile malware distribution campaign that does not require any type of user interaction in order to infect devices with ransomware.

The infection occurs when users visit a website that contains tainted JavaScript code. Blue Coat Labs says the malicious code is delivered via malicious ads (malvertising).

Security researchers from Zimperium have confirmed that the malicious code contained an exploit leaked last year in the Hacking Team data breach.

Malvertising hits Android devices:

The exploit leverages a vulnerability in the libxslt Android library to allow attackers to download a Linux ELF binary called module.so on the device.

This binary uses the Towelroot Android exploit (also the name of a rooting tookit) to get root privileges on the device. Once root access is ensured, module.so will also download an additional Android APK, which contains the ransomware code.

With root access in hand, the attacker can silently install the ransomware without prompting the user for any permissions.

Ransomware targets mainly older Android devices:

The name of this ransomware trojan is Cyber.Police and was first detected back in December 2014. Compared to desktop-based ransomware that encrypts files, Cyber.Police only locks the user's screen and asks them to buy two Apple iTunes gift cards worth $100 each.

Even if Apple tracks iTunes gift cards, these can be used as virtual currency on the underground hacking market and passed around for years between numerous individuals before being used.

Blue Coat Labs says that infected victims send unencrypted traffic from their device to a central command and control server. The company was able to track traffic coming from 224 different Android device models (tablets, smartphones), using Android versions between 4.0.3 and 4.4.4.

The lowest officially supported version of Android is 4.4.4, meaning attackers are targeting users who have failed or cannot upgrade their devices.

"The fact that some of these devices are known not to be vulnerable specifically to the Hacking Team libxlst exploit means that different exploits may have been used to infect some of these [other] mobile devices," Andrew Brandt of Blue Coat notes.

How to get rid of Cyber.Police:

In case you find yourself infected with the Cyber.Police Android ransomware, Blue Coat says that they've managed to remove the malware after resetting the device to factory settings.

Before going through a factory reset, users should connect the device to their PC and copy personal data to their computer.

Upgrading to a newer version of Android did not help because Cyber.Police was installed as a normal application, and Android updates keep apps intact while upgrading.


Source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  45,000 Android devices infected by unremovable malware sidemoon 1 3,098 11-30-2023 , 05:24 AM
Last Post: Pranav
  Android malware infected 300,000 devices to steal Facebook accounts tarekma7 0 465 12-05-2022 , 04:04 PM
Last Post: tarekma7
  QBot phishing uses Windows Calculator sideloading to infect devices mrtrout 0 769 07-25-2022 , 01:25 AM
Last Post: mrtrout
  QNAP warns of new Checkmate ransomware targeting NAS devices mrtrout 0 570 07-07-2022 , 11:13 PM
Last Post: mrtrout
  Pre-installed auto installer threat found on Android mobile devices in Germany mrtrout 0 917 04-09-2021 , 12:15 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)