There is a new piece of ransomware that is using an exploit for an Android vulnerability to infect devices without any user interaction whatsoever. The Cyber.Police ransomware uses JavaScript to exploit the bug and one of the exploits it employs is a known one that’s been public for more than a year.
Researchers at Zimperium and Blue Coat Labs looked at the exploit and found that it is the same one leaked after the Hacking Team compromise in 2015. The initial infection vector seen by the Blue Coat researchers was a malicious ad on a Web site, which delivered the JavaScript exploits. During the infection routine, the user doesn’t need to take any action in order for the exploit to run and install the ransomware.
“This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that typically precedes installation of an Android application,” Andrew Brandt of Blue Coat Labs.
Once installed, the ransomware displays a warning screen with some broken English, telling the user that the device’s contents have been locked and if the user doesn’t pay the ransom, the contents will be sent to the Department of Homeland Security. The ransomware mainly targets Android devices running older versions of the operating system, most of which won’t ever be patched against the vulnerability used in the attack.
“While we only have visibility into some of the HTTP traffic requests made on the networks of some of our customers, we were able to build up a profile of the typical infected device, based on what we know about how the malware beacons to its command-and-control servers. We’ve determined that at least 224 unique device models (identified by the User-Agent string transmitted in the beaconing request) running a range of Android versions between 4.0.3 and 4.4.4 communicated with the command and control servers since February 2,” Brandt said.
“The fact that some of these devices are known not to be vulnerable specifically to the Hacking Team libxlst exploit means that different exploits may have been used to infect some of these mobile devices.”
Unlike most modern ransomware variants, Cyber.Police doesn’t encrypt the data on an infected device, but just locks it. The malware also demands payment via iTunes gift cards, a departure from the Bitcoin ransoms that most attackers demand now. The Cyber.Police malware prevents other apps from opening and has the ability to persist after reinstalling the OS.
“In this iteration of the malware, we found that we were still able to connect the infected device to a computer and copy the unmodified documents, photos, and other files from both the device’s internal memory and any additional storage card(s) that may be installed. The malware survived flashing over the operating system with a newer build of Android, but did not persist after a factory reset, which deletes any applications installed by the device’s user,” Brandt said.
Image from Flickr stream of Filip Malijkovic.