Android is fast becoming a byword for mobile malware. The latest attack has been detailed by Andrew Brandt, Director of Threat Research, Blue Coat Labs and published in a blog entitled “Towelroot and Leaked Hacking Team Exploits Used to Deliver ‘Dogspectus’ Ransomware to Android Devices”.
As the blog title implies this latest attack relies on known vulnerabilities to attack Android devices. According to Brandt’s blog: “Blue Coat Labs discovered the novel attack method when a test Android device in a lab environment was hit with the ransomware when an advertisement containing hostile Javascript loaded from a Web page.” The fact that it happened under lab conditions meant that Blue Coat Labs were able to immediately investigate the attack.
What did Blue Cost Labs find?
The attack revealed what Brandt believes to be a first, the ability of: “an exploit kit to successfully install malicious apps on a mobile device without any user interaction on the part of the victim.” It turns out that at no point did the device display the application permissions box that is required for an Android app to be installed on a device.
Brandt says that it then spoke to another security researcher, the well respective Joshua Drake of Zimperium to ask about this. Drake apparently confirmed that this is an exploit against libxslt, part of the Android OS. This exploit was first revealed last year when Italian security company Hacking Team suffered a security breach that disclosed a host of previously unknown software vulnerabilities that the company had discovered, weaponised and were selling to its clients.
At the time, there was a major concern that the information that had been stolen would be used by hackers. This is just the latest example of that happening and demonstrates that more still needs to be done to resolve and patch systems that Hacking Team knew were vulnerable. The libxslt exploit is used to downloads code known as ‘futex’ or ‘Towelroot’ which, in turn, downloads the Dogspectus ransomware Trojan.
Once installed on the device, the ransomware locks it and demands that the user purchases two $100 iTunes gift cards codes. Brandt calls out that this is unusual as there is nothing to stop Apple from tracking who used the gift card codes and helping the police trace the cards back to the cybercriminals.
Is this a case of poor patching?
A good question. A lot of software companies including Google have issued patches for the libxslt vulnerability but that doesn’t mean that they have been applied. Brandt highlights that older Android devices that have not been updated are particularly at risk. Those devices are not likely to be phones or tablets but instead will be media player devices.
Such devices are rarely updated yet are regularly used to hold important media files. This includes films that users have purchased online, images that they have taken, their audio libraries and even TV that they have recorded to watch later. Infecting these devices will be easy with this exploit as they are also used to provide Internet access using the TV as a monitor and all come equipped with a browser.
What Brandt doesn’t do is give any indication of the number of devices or manufacturers that could be affected. He also ignores the growing number of Android-based devices that are connected into vehicles and used to provide media to passengers along with Internet access.
In the recent EU vs Google case, one of the things Google is accused of is trying to stifle the forking or creation of other versions of Google. The EU believes that this stifles competition. From a security perspective it means that when any of those forks dies due to a company losing interest or going out of business, the user is left vulnerable.
It will be interesting to see if one of the EU is willing to go as far as asking Google to help clean up the vast number of Android forks and find a way to patch or update older systems. This could be a valid alternative to a large fine for Google and would have the benefit of providing both Google and the EU out of a court case by focusing on consumers rather than bolstering the EU coffers.
Malvertising a key part of Dogspectus’ success
There should be no surprise in the fact that malvertising plays a significant part in the success of Dogspectus. Brandt’s blog lists over 40 domains that redirect users to the Dogspectus source and Command and Control servers. It also lists a number of other domains and IP addresses that it has discovered are linked to this attack.
This is not a complete list of places where users can get infected or which are involved. As Brandt admits: “We only have visibility into some of the HTTP traffic requests made on the networks of some of our customers.” This suggests that there are a lot of other places where users could get infected.
What does this mean for BYOD and corporate data
This is where there is some relief provided you take reasonable precautions and have skilled staff. It appears that all Dogspectus is doing is locking the screen rather than encrypting all the files and data. The ransomware will survive you flashing the device with a newer version of Android.
However there is good news. As the files are not encrypted it is possible to connect the device to a computer and then copy all of the files off of it. This means that data can be recovered with just a small amount of effort.
There are caveats to this. At the moment there is no guarantee when doing this that you won’t copy something that will cause Dogspectus to return. Also, this is only guaranteed to work on the version that Brandt and the Blue Coat Labs teams have examined. A later version might opt to encrypt files or, in the worst case scenario, detect that the device has been connected to a computer and then attempt to attack that computer.
Conclusion
Once again we are seeing cybercriminals taking advantage of shared knowledge to create new attacks using existing tools. The fact that the attack is successful at all shows how poor most patching practices are and highlights how easy it is for Android forks to get forgotten about when patches and update code is issued.
The bigger issue here is the ability of Dogspectus to install itself on the device without any user intervention or notification. It is likely that this attack method is already being adapted to work with other attacks that could be far more aggressive.