Active drive-by exploits critical Android bugs, care of Hacking Team

Kuttz

Level 13
Thread author
Verified
Top Poster
Well-known
May 9, 2015
630
Hostile JavaScript delivered through ads installs ransomware on older Android phones.

An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people, according to research scheduled to be published Monday.

The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones. The exploit code appears to borrow heavily from, if not copy outright, some ofthese Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities.

It's the first time—or at least one of only a handful of times—Android vulnerabilities have been exploited in real-world drive-by attacks. For years, most Android malware has spread by social engineering campaigns that trick a user into installing a malicious app posing as something useful and benign. The drive-by attack—which has been active for at least the past 60 days and was discovered by security firm Blue Coat Systems—is notable because it's completely stealthy and requires no user interaction. The company's findings have been published here.

"This looks like a decently sophisticated attack," said Joshua Drake, vice president for platform research and exploitation at Zimperium. "This attack is powerful because it leverages vulnerabilities in software that's installed by default to surreptitiously take full control of a victim's device. As far as I am aware, this attack represents the first in-the-wild drive-by-download attack that exploits a chain of vulnerabilities to target Android users. While this attack uses older vulnerabilities, it represents a change in the tactics used by malicious actors in the Android space."

Drake's assessment was based on his review of code that was delivered when a Samsung tablet running Android 4.2.2 in Blue Coat's lab was infected after viewing a malicious ad delivered over a porn site. Data from Blue Coat logs indicates that at least 224 Android devices running Android 4.x, including 4.4, may have been infected. The handsets were connected to 77 different enterprise networks protected by a Blue Coat security service, so the data likely reflects only a tiny fraction of the total number of infections on the Internet at large.


More at: Active drive-by exploits critical Android bugs, care of Hacking Team
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top