Active Drive-By Attack Forcing Android Users to Install Ransomware


Android is no strange to ransomware, and a newly discovered drive-by attack is installing ransomware on Android devices running older versions of Android. It is said to be the “first in-the-wild drive-by-download attack that exploits a chain of vulnerabilities to target Android users.” While the ransomware that gets installed is almost archaic in its methodology, the “commoditised implementation” of several previous exploits in an active exploit kit is a significant wake up call, as a large number of users with older Android versions can be infected with no real recourse.

Discovered by Blue Coat Labs, the exploit kit uses a hostile JavaScript that was leaked when Hacking Team was breached last year, and its treasure trove of hacking tools was put online. Its origins were ascertained by Zimperium’s Joshua Drake, when consulted by Blue Coat Labs. The drive-by-download attack forces the device to download and execute an Executable and Linkable Format (ELF) file when visiting a malicious webpage. The file in turn exploits the Towelroot vulnerability (patched by Google in Android 4.4 KitKat) from 2014 to install the Cyber.Police ransomware without raising any install permissions dialogues by using root privileges.

The ransomware is crude in comparison to today’s crytpo-ransomware, and does not encrypt the data it is holding hostage. After gaining elevated privileges, the ransomware halts other apps and system processes, leaving users with a locked Android device. In order to unlock the device, the ransomware demands payment – which in this case is two $100 Apple iTunes gift card codes. These transactions of course can be tracked, while most modern ransomware demand payment in Bitcoins – which are virtually impossible to track.

So far, the hostile JavaScript was found in advertisements on porn sites, including some which were created less than a month ago. There’s of course no telling where else the script can show up. Blue Coat Labs says only two antivirus companies currently classify the ELF payload as dangerous.

As per Blue Coat Labs, at least 224 infected devices have been found thus far, including a few running Android 4.4 KitKat, implying that a different set of vulnerabilities is being exploited to install the ransomware on those devices with the newer Android version. As per Google’s own numbers – 23.5 percent of active Android devices run Android 4.0 Ice Cream Sandwich to Android 4.3 Jelly Bean. Even if one does not count the 33.4 percent of active devices that run Android 4.4 KitKat as vulnerable, it means that a significant proportion of the over 1 billion Android device users are vulnerable. The attack has been in the wild since mid-February, Blue Coat Labs says.


Andrew Brandt of Blue Coat Labs writes, “This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that typically precedes installation of an Android application.”

Detailing the Cyber.Police ransomware, Brandt says, “It presents itself as a sort of law enforcement or intelligence agency intervention into your browsing habits. The purveyor of the scam claims to be the American national security agency or Nation security agency,” explains the firm. Notably, theransomware was first reported in December last year.

The ransomware after being malicious installed on the Android device show a plain text saying, “Update now. Please read! Do not turn off or reboot your phone during update. Please try again later.” Blue Coat Lab after some digging found that the malware’s internal name is “net.prospectus.” Asexpected from ransomware, it kills all installed apps on the device and even prevents new app launch.

As the ransomware is crude and does not encrypt the Android device’s data after taking control of it, users can still copy their data via a PC, before performing a factory reset to remove the ransomware. But as we mentioned, the method of the exploit kit is significant, as it can be used to affect millions of devices running older versions of Android that have no hope of an update lined up for them.

Apart from taking regular backups of important data on your Android device, Blue Coat Labs suggest using an up-to-date browser instead of an inbuilt browser on the Android device.

Leaving us with the significance of the exploit, Brandt says, “The commoditized implementation of the Hacking Team and Towelroot exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences. The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity. That includes so-called media player devices — basically inexpensive, Android-driven video playback devices meant to be connected to TVs — many of which run the 4.x branch of the Android OS. Some of these older Android devices are now in the same situation as PCs running Windows XP: The OS may still work, despite no longer receiving updates, but using it constitutes a serious risk of infection.”