Android Ransomware Attacks Using Towelroot, Hacking Team Exploits

Step 7: Practice Safe Browsing

Drive-by exploits install ransomware on outdated Android devices using a stolen Hacking Team exploit and the first weaponized Towelroot attack.

A menacing wave of ransomware that locks up Android devices and demands victims pay $200 in Apple iTunes gift card codes is raising concern among security researchers. The ransomware attacks, they say, open a new chapter for Android vulnerabilities similar to Microsoft’s obsolete, unpatched and unsupported Windows XP operating system.

“This is a new and troubling development for the Android OS. This ransomware thrives on outdated Android devices that are not patched and will likely never be,” said Andrew Brandt, researcher at Blue Coat and the analyst who discovered the vulnerability.

He said the ransomware attacks Android 4.x operating systems, predominantly used in 2012 to 2013. That version of the Android OS is still in use by approximately 60 percent of Android devices around the world, according to Google’s own internal estimates. And just as Microsoft stopped patching Windows XP, Google is highly unlikely to patch a 5-year-old OS, Brandt said.

“What we have here is a fully operational operating system which no longer receives updates,”Brandt said. “Users are in danger of infection just by using it. Having things installed without any user interaction until it’s too late is a pretty scary new development in Android threats,” Brandt said.

Brandt told Threatpost that the ransomware utilizes a three-prong attack. First, it uses the drive-by lbxslt exploit embedded in ads to penetrate users of the Android versions 4.0.3 and 4.4.4’s default browsers. So far, the malicious ads are targeting porn websites.

Attackers are using the lbxslt exploit, Brandt said, which was stolen from Hacking Team in July of last year. But Brandt said, the authors appear to be using an updated version of lbxslt that infects a larger range of Android 4.x OS devices compared to earlier versions.

Phase two, Brandt said, is installing a weaponized version of the Towelroot jailbreaking utility. Used in the past by non-technical users, Towelroot is a once popular single-click Android rooting tool for Samsung Galaxy handsets and other Android devices running Android 4.4.2, according to Khang Nguyen, security researcher, at Duo Security.

Towelroot, said Nguyen, is an exploit for (CVE-2014-3153) a vulnerability that affected the Linux kernel through 3.14.5.  CVE-2014-3153 was discovered by comex (Nicholas Allegra) and the first exploit based on Towelroot written by well-known hacker geohot (George Hotz). This is not the first public Towelroot exploit, but it’s likely the first drive-by malware attack using a weaponized version of Towelroot, Nguyen said.

The use of Towelroot is twofold. The first, Brandt said, is that Towelroot suppresses the normal pop-up permissions window on Android that appears when you install programs from Google Play. “All installs are silent and in the background,” he said.

Under that cloak of indiscernibility, criminals use the compromised Android machines to download the ransomware called Cyber.Police. This is non-crypto ransomware that displays a note that vaguely looks like an official warning targeting visitors of porn websites stating: “All actions are illegal, are fixed. History query stored in the database of the U.S. Department of Homeland Security.”  Attackers claim to be either “American national security agency” or “nation security agency”.

“The ransomware doesn’t threaten to (or actually) encrypt the victim’s data.  Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes,” Brandt wrote in a research note.

Victims who opt to pay the ransom to unlock their phone are directed to pay a “fine” between $100 and $200 to a “treasury account” via submitting an iTunes gift card codes. Use of iTunes gift cards for ransomware payments is unusual given Bitcoin payments have been preferred untraceable forms of payment for crypto-ransomware attackers for over a year now.

Brandt said the easiest and most effective way to remove the ransomware is to restore the Android device to its original factory default software.

“When we executed the application…, we learned that the malware’s internal name for itself is “net.prospectus” and engages in the sorts of behavior we’ve come to expect from ransomware: It kills all other apps; prevents other apps from launching or stopping the ransomware,” Brandt wrote. “It sets itself up to be the first thing to start at boot time; profiles the infected device; and communicates with a command-and-control server.”

The best way to mitigate this vulnerability is to use a device that runs a more recent version of Android than the Android 4 family of operating systems, Nguyen said. Blue Coat recommends  keeping a fresh device backup somewhere other than on your phone or tablet’s internal memory or memory card. “That way, you can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall your mobile device’s apps,” Brandt said.

Suggested articles