Blue Coat Labs

Labs Blog

Android Towelroot Exploit Used to Deliver “Dogspectus” Ransomware

Share this: 

Android Towelroot Exploit Used to Deliver “Dogspectus” Ransomware

Andrew Brandt

Android Towelroot Exploit

An exploit kit that is being used to deliver ransomware to Android devices has been discovered to be using several vulnerabilities to install malware onto the victim's phone or tablet silently in the background. Blue Coat Labs discovered the novel attack method when a test Android device in a lab environment was hit with the ransomware when an advertisement containing hostile Javascript loaded from a Web page.

Android Ransomware

This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that typically precedes installation of an Android application.

After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach. Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the “futex” or “Towelroot” exploit that was first disclosed at the end of 2014.

The ELF payload (which is classified as Towelroot by only two antivirus companies at the time of this writing), in turn contains code that downloads and installs an Android .apk application – the ransomware Trojan.

The lab device, an older Samsung tablet, was running the Cyanogenmod 10 version of Android 4.2.2 at the time it was infected.

Android Towelroot Vunderability

The commoditized implementation of the Hacking Team and Towelroot exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences. The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity. That includes so-called media player devices -- basically inexpensive, Android-driven video playback devices meant to be connected to TVs -- many of which run the 4.x branch of the Android OS. Some of these older Android devices are now in the same situation as PCs running Windows XP: The OS may still work, despite no longer receiving updates, but using it constitutes a serious risk of infection.

Towelroot Vunerability Blue Coat

Some of the domains in the network from which the attack originated are less than a month old. But the attack seems to have been going on at least since mid-February and may have started even earlier. By following the connections between the domains used in the attack and the IP addresses where they are hosted, we built a map showing these relationships. In the chart, blue lines indicate a Web hosting relationship between IP and domains; yellow lines indicate shared domain registrant information; and red arrows indicate that malware is known to communicate with the IP addresses they point to.

While we only have visibility into some of the HTTP traffic requests made on the networks of some of our customers, we were able to build up a profile of the typical infected device, based on what we know about how the malware beacons to its command-and-control servers. We’ve determined that at least 224 unique device models (identified by the User-Agent string transmitted in the beaconing request) running a range of Android versions between 4.0.3 and 4.4.4 communicated with the command and control servers since February 22. The fact that some of these devices are known not to be vulnerable specifically to the Hacking Team libxlst exploit means that different exploits may have been used to infect some of these mobile devices.

The ransomware, which labels itself Cyber.Police, resembles several older, pre-cryptographic ransomware families.  It presents itself as a sort of law enforcement or intelligence agency intervention into your browsing habits. The purveyor of the scam claims to be the "American national security agency" or “Nation security agency” (sic). The malware was first described in a blog post last December.

Ransomware Cyber Police Blue Coat

The ransomware doesn't threaten to (or actually) encrypt the victim's data.  Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes. That's unusual because it's far more common nowadays for ransomware to demand non-trackable cryptocurrency, like Bitcoins. In theory, it might be possible for Apple (or its iTunes gift card partners) to track who used the gift cards provided to the criminals, which may help investigators identify them.

Android Ransomware Blue Coat

Initially, the infected device displays a plain white screen with an Android icon and the non-sequitur text "Update now. Please read! Do not turn off or reboot your phone during update. Please try again later." At this point, it's still possible to hit the home button and back out of the application, but the damage has already been done. After a delay of several minutes, the ransom demand appears and the app prevents any other software from running.

Infected Android Blue Coat

When we executed the application in Blue Coat's Malware Analysis product, we learned that the malware's internal name for itself is "net.prospectus" and engages in the sorts of behavior we've come to expect from ransomware: It kills all other apps; prevents other apps from launching or stopping the ransomware; sets itself up to be the first thing to start at boot time; profiles the infected device; and communicates with a command-and-control server.

Blue Coat Malware Android

In this iteration of the malware, we found that we were still able to connect the infected device to a computer and copy the unmodified documents, photos, and other files from both the device's internal memory and any additional storage card(s) that may be installed. The malware survived flashing over the operating system with a newer build of Android, but did not persist after a factory reset, which deletes any applications installed by the device's user.

As with other ransomware, the best way to defeat the criminals is to keep a backup of those precious photos, videos, and other data files somewhere other than on your phone or tablet's internal memory or memory card. That way, you can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall your mobile device's apps. Using a more up-to-date browser than the built-in Browser app included with Android 4.x devices is also highly recommended.

Ransomware Android Blue Coat

Is it even worth mentioning that you should never pay the ransom to these creeps? After all, even the ransomware will itself admonish you to “[r]emember, if somebody asks you to buy a iTunes Gift Card, it is a scam.” Irony, thy name is Dogspectus.

Indicators of compromise:

Advertising networks leveraged in the attack:

puhtml[.]com

terraclicks[.]com

Malvertising domains used to refer victims to the attack domains (subject to change):

acquisition[.]pw

acquisition.pw

adjecture.website

affectionately.pw

animatedr.pw

bankloundaccount.pw

bbs21.org

bellatorsestiatedly.website

besensibleofw.pw

cheerlessone.pw

concusestidirious.website

eagererswelwebsitee.website

energydietcatalist.pw

enunciatewhat.pw

grandmotherpickup.pw

gtyuossc.bid

inconstantvalley.pw

iontube.bid

jointube.bid

killerbeat.pw

killerdrawphoto.pw

l2winterserver.pw

leftthedeadkill.pw

lowbeatifulenergy.pw

moltainbrut.pw

motlotslotkitguide.pw

motocarsautodealers.pw

musicforcallback.pw

opengghd.bid

pinkgoldgrey.pw

portilyinglying.website

powerbucket.pw

practiceasarule.pw

routerscansshserver.pw

sequintuattractionist.website

toucannitionable.website

tubefoxxx.bid

tumnalize.website

waistcoat.pw

waterfulbigban.pw

wreteindex.pw

Ransomware source and C2:

Directbalancejs[.]com

imgtumbsjs[.]com

Domains related to the ransomware source or C2 domains or IP addresses:

Directscriptjs.com

Directbalancejs.com

Packetbalancejs.com

Dnsscriptjs.com

Jsloadbalancer.net

Quicktembsload.net

Pqtscriptdelivery.com

Jquerydelivery.net

Quickscriptsloads.com

Pageloadoptimizer.net

Mobileconversiontracker.net

Towelroot ELF executable (MD5): 8e3e03f44c24fc86de1f6de0e48b81f0

net.prospectus Android APK (MD5): e26710a4e499a797aab62fd0ad7ac19c

(installs itself to the /data/data/net.prospectus/ path in internal storage)

Special thanks to Blue Coat's Waylon Grange and Zimperium's Josh Drake for their analysis of the exploit code, and to Blue Coat's Christian Mills for help searching for evidence of previous attacks and related domains.