ransomware-can-infect-android-devices-without-any-user-interaction-503394-2.jpg ransomware-can-infect-android-devices-without-any-user-interaction-503394-3.jpg

Today, researchers have discovered a new mobile malware distribution campaign that does not require any type of user interaction in order to infect devices with ransomware.

The infection occurs when users visit a website that contains tainted JavaScript code. Blue Coat Labs says the malicious code is delivered via malicious ads (malvertising).

Security researchers from Zimperium have confirmed that the malicious code contained an exploit leaked last year in the Hacking Team data breach.

Malvertising hits Android devices
The exploit leverages a vulnerability in the libxslt Android library to allow attackers to download a Linux ELF binary called module.so on the device.

This binary uses the Towelroot Android exploit (also the name of a rooting tookit) to get root privileges on the device. Once root access is ensured, module.so will also download an additional Android APK, which contains the ransomware code.

With root access in hand, the attacker can silently install the ransomware without prompting the user for any permissions.

Ransomware targets mainly older Android devices
The name of this ransomware trojan is Cyber.Police and was first detected back in December 2014. Compared to desktop-based ransomware that encrypts files, Cyber.Police only locks the user's screen and asks them to buy two Apple iTunes gift cards worth $100 each.

Even if Apple tracks iTunes gift cards, these can be used as virtual currency on the underground hacking market and passed around for years between numerous individuals before being used.

Blue Coat Labs says that infected victims send unencrypted traffic from their device to a central command and control server. The company was able to track traffic coming from 224 different Android device models (tablets, smartphones), using Android versions between 4.0.3 and 4.4.4.

The lowest officially supported version of Android is 4.4.4, meaning attackers are targeting users who have failed or cannot upgrade their devices.

"The fact that some of these devices are known not to be vulnerable specifically to the Hacking Team libxlst exploit means that different exploits may have been used to infect some of these [other] mobile devices," Andrew Brandt of Blue Coat notes.

How to get rid of Cyber.Police
In case you find yourself infected with the Cyber.Police Android ransomware, Blue Coat says that they've managed to remove the malware after resetting the device to factory settings.

Before going through a factory reset, users should connect the device to their PC and copy personal data to their computer.

Upgrading to a newer version of Android did not help because Cyber.Police was installed as a normal application, and Android updates keep apps intact while upgrading.
Last edited by a moderator:

Axelrod Sven

Level 3
"As long as I don't download apps from outside the Google Playstore, I won't be infected". I can think of several (hundred?) people right here on these forums who trumpet that claim. Maybe it's early days, but they don't seem to be wanting to comment here.

That said, this is an interesting article. I wonder what Android Security is the most effective at Safe Browsing. Hopefully AV-test will shed some light on that.
  • Like
Reactions: Der.Reisende