Connect with us

Hi, what are you looking for?

Tech & Science

New Android malware silently installs ransomware from website

The exploit was detailed by security firm Blue Coat Labs. It discovered the “novel attack method” when it observed a test phone install ransomware triggered by a JavaScript file. It was embedded in an advert on a webpage.
The JavaScript initiates the attack by using two known weaknesses in older versions of Android. The team found 224 unique Android device models running Android versions between 4.0.3 and 4.4.4 have been infected with the ransomware.
Dogspectus brands itself as Cyber Police to users, purporting to be from the “American national security agency.” It claims to be a message from law enforcement, warning your device has been locked due to illegal usage online. A countdown timer displays how long you have left to pay up and get your files unlocked before they are left permanently encrypted.

Screenshots of the Dogspectus Android ransomware that requests $200 in iTunes vouchers

Screenshots of the Dogspectus Android ransomware that requests $200 in iTunes vouchers
Blue Coat Labs


The attack is unique because there is no interaction with the user until the moment the “Cyber Police” message and payment request appears. The malware circumvents the usual permissions dialogue displayed when installing apps, preventing the user from realising what is going on.
“This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim,” said Andrew Brandt of Blue Coat Labs. “During the attack, the device did not display the normal ‘application permissions’ dialog box that typically precedes installation of an Android application.”
Oddly, Dogspectus never actually encrypts any user data, instead pretending it has and assuming the user won’t know the difference. Instead, it renders the phone unusable, preventing every other app from opening, terminating processes that try to kill the ransomware and setting itself to launch immediately at start-up. The lack of actual encryption means data could be recovered and the device factory reset though.

Screenshots of the Dogspectus Android ransomware that requests $200 in iTunes vouchers

Screenshots of the Dogspectus Android ransomware that requests $200 in iTunes vouchers
Blue Coat Labs


Unlike most ransomwares, the attackers do not request payment in the untraceable Bitcoin cryptocurrency, instead asking for two $100 Apple iTunes gift card codes. That’s a strange ransom demand, especially as Apple could potentially track the gift cards to determine the identity of the criminals. It goes without saying that the ransom should never be paid, especially when nothing actually happens to your data.
The attack appears to have been going on since at least mid-February and possibly for longer. At least two ad networks have been used to host the malicious ads. They have been displayed on over 40 websites, potentially infecting thousands of older Android devices.

Written By

You may also like:

Tech & Science

The process involves the use of microsecond-scale, high-voltage electrical fields to cause irreversible electroporation and destabilization of cell membranes.

Entertainment

‘The Deb’ is a musical comedy about a small-town teenager trying to find a date for the debutante ball

World

This level of violence is being normalized by hyper-polarization. That can’t be good for anyone.

Life

Russia has imprisoned hundreds for protesting or speaking out against the Ukraine campaign - Copyright AFP/File Alexander NEMENOVWhen Russians started being arrested for opposing...