'Dogspectus' Breaks New Ground For Android Ransomware

Malware writers appear to have broken new ground with ‘Dogspectus’ a ransomware sample that infects smartphones and tablets running certain older versions of Android, via drive by download.

Unlike other mobile ransomware tools, Dogspectus does not require users to interact with it in any way in order to infect a device. Rather, the malware takes advantage of several vulnerabilities in Android versions 4.x to install itself silently on a user’s device.

The malware is contained in an exploit kit served up through malicious advertisements on several porn sites says Andrew Brandt, director of threat research at Blue Coat Systems, which disclosed details of the threat in an advisory this week.

The malware does not encrypt data like other ransomware tools. Instead it basically locks up an infected device and prevents the user from carrying out any function other than paying up a ransom to unlock it. In this case, the ransom is in the form of two, $100 Apple iTunes gift cards.

Users at risk are those who have mobile devices running Android 4.x , using the built in browser app that originally shipped with the device—and visiting porn sites with the malicious ads, Brandt said in comments to Dark Reading.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Blue Coat said it discovered the ransomware when a test Android device in its possession became infected via a malicious advertisement served up from a website. According to the company, what makes Dogspectus interesting is the manner in which the malware infiltrates vulnerable devices.

The malicious Javascript that is used to launch the attack leverages an exploit developed by Italian surveillance firm Hacking Team that was publicly leaked last year following a data breach at the company.

The Hacking Team exploit delivers a malicious file on the device, which then profiles the device and sends the information to a remote command and control server. The CnC server in turn downloads an Android application package and installs it as root on the compromised device using a previously known exploit known as Towelroot.  It is this package that contains Dogspectcus.

Brandt says it takes just ten seconds from the moment the porn page is loaded to when the exploit kit completes its work and delivers the first malware to the device.

Following initial discovery of the threat, Blue Coat conducted a broader analysis and discovered that a whole network of domains has been involved in similar attacks since at least mid-February and in some cases even longer. The analysis shows that at least 224 Android device models running Android versions ranging from 4.0.3 and 4.4.4 have communicated with the command and control servers in the past few months, Blue Coat said.

The Hacking Team exploit itself is known to work only on Android versions 4.3, and before. So the fact that devices running Android 4.4.x were also infected suggests that the malware authors are exploiting other Android vulnerabilities as well, the security firm said.

Finding the source of the infection has been challenging because of the measures the malware authors have taken to hide their tracks. Blue Coat’s analysis showed that “there were six redirections in the seven seconds between when the porn site loaded its first page, and the exploit began to run,” Brandt says.

The malicious advertising domains being used to serve up the exploit kits also use new “weird” top-level domains like .pw, .xyx and .me.  “The operators of new [top-level domains] have a major problem deflecting criminals from using their services,” he says.

Because the ransomware does not encrypt data, Brandt says he was able to recover the contents of the infected Blue Coat test device by connecting it to a laptop, mounting it as a USB drive and copying everything off internal storage. “The ransomware and [initial executable] were both deleted from the device when I performed a factory reset and wiped everything off the device," he adds.

Related stories: