The exploit was detailed by security firm Blue Coat Labs. It discovered the “novel attack method” when it observed a test phone install ransomware triggered by a JavaScript file. It was embedded in an advert on a webpage.
The JavaScript initiates the attack by using two known weaknesses in older versions of Android. The team found 224 unique Android device models running Android versions between 4.0.3 and 4.4.4 have been infected with the ransomware.
Dogspectus brands itself as Cyber Police to users, purporting to be from the “American national security agency.” It claims to be a message from law enforcement, warning your device has been locked due to illegal usage online. A countdown timer displays how long you have left to pay up and get your files unlocked before they are left permanently encrypted.
The attack is unique because there is no interaction with the user until the moment the “Cyber Police” message and payment request appears. The malware circumvents the usual permissions dialogue displayed when installing apps, preventing the user from realising what is going on.
“This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim,” said Andrew Brandt of Blue Coat Labs. “During the attack, the device did not display the normal ‘application permissions’ dialog box that typically precedes installation of an Android application.”
Oddly, Dogspectus never actually encrypts any user data, instead pretending it has and assuming the user won’t know the difference. Instead, it renders the phone unusable, preventing every other app from opening, terminating processes that try to kill the ransomware and setting itself to launch immediately at start-up. The lack of actual encryption means data could be recovered and the device factory reset though.
Unlike most ransomwares, the attackers do not request payment in the untraceable Bitcoin cryptocurrency, instead asking for two $100 Apple iTunes gift card codes. That’s a strange ransom demand, especially as Apple could potentially track the gift cards to determine the identity of the criminals. It goes without saying that the ransom should never be paid, especially when nothing actually happens to your data.
The attack appears to have been going on since at least mid-February and possibly for longer. At least two ad networks have been used to host the malicious ads. They have been displayed on over 40 websites, potentially infecting thousands of older Android devices.