Dogspectus ransomware campaign relies on Leaked Hacking Team Exploits and Towelroot

Pierluigi Paganini April 26, 2016

Blue Coat spotted a new ransomware-based campaign serving the Dogspectus malware. Crooks combined a Hacking Team exploit and the Towelroot exploit.

Security experts at Blue Coat have spotted a new campaign spreading an Android Ransomware dubbed Dogspectus. The malicious code hijacks mobile advertisements to scam gift cards, it locks the device in a state that allows only victims to make payment.

The malicious code demands the payment of a $200 fee in iTunes gift cards. The experts at Blue Coat Labs first spotted the threat after a tablet running CyanogenMod 10 / Android 4.2.2 viewed an advertisement that silently served malicious payloads without any user interaction.

Dogspectus ransomware

The Exploit Kit used by crooks in this campaign relies on a previously leaked Hacking Team exploit (lbxslt) to serve the Android exploit known as Towelroot. The tool was released by the popular hacker George Hotz in 2014, it is able to root Android devices exploiting a known Linux flaw (CVE-2014-3153).

The attack is very sophisticated and represents an evolution of the classic malvertising attack, as explained by Andrew Brandt from Blue Coat.

“This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that typically precedes installation of an Android application.” wrote Brandt. “After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach.”

The operators behind the malware campaign used the Hacking Team exploit in conjunction with the Towelroot tool realizing a very stealth attack that is able to compromise almost every old device that has not been updated with the last release of the Google OS. Be careful, it does not matter if the mobile device is rooted or not to be compromised by the Dogspectus ransomware, bacause the Towelroot allows an attacker to escalate rivileged on the infected devices.

“The commoditized implementation of the Hacking Team and Towelroot exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences. The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity.” continues the post.

The experts determined that at least 224 unique device models running a range of Android versions between 4.0.3 and 4.4.4 (5.x or 6.x are not impacted) contected the command and control servers since February 22.

The problem is serious if we consider that 59.6 percent of the Android devices are currently running version 4.4 or lower.

Android versions vulnerable to Dogspectus ransomware

The samples analyzed by the researchers allow the connection of the infected device to a computer and copy all the files still unlocked from both the internal memory and any additional storage card. The experts also noticed that flashing over the operating system with a newer build of Android doesn’t eliminate the Dogspectus ransomware, meanwhile, a factory reset will eradicate it.

In order to limit the effects of a ransomware infection, it is important to maintain an updated backup of any important data present on the device.

“As with other ransomware, the best way to defeat the criminals is to keep a backup of those precious photos, videos, and other data files somewhere other than on your phone or tablet’s internal memory or memory card. That way, you can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall your mobile device’s apps,” concludes Brandt.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Dogspectus ransomware, Android)

you might also like

leave a comment