Blue Coat Labs
Android Towelroot Exploit Used to Deliver “Dogspectus” Ransomware
Android Towelroot Exploit Used to Deliver “Dogspectus” Ransomware
This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that typically precedes installation of an Android application.
The ELF payload (which is classified as Towelroot by only two antivirus companies at the time of this writing), in turn contains code that downloads and installs an Android .apk application – the ransomware Trojan.
The lab device, an older Samsung tablet, was running the Cyanogenmod 10 version of Android 4.2.2 at the time it was infected.
The commoditized implementation of the Hacking Team and Towelroot exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences. The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity. That includes so-called media player devices -- basically inexpensive, Android-driven video playback devices meant to be connected to TVs -- many of which run the 4.x branch of the Android OS. Some of these older Android devices are now in the same situation as PCs running Windows XP: The OS may still work, despite no longer receiving updates, but using it constitutes a serious risk of infection.
Some of the domains in the network from which the attack originated are less than a month old. But the attack seems to have been going on at least since mid-February and may have started even earlier. By following the connections between the domains used in the attack and the IP addresses where they are hosted, we built a map showing these relationships. In the chart, blue lines indicate a Web hosting relationship between IP and domains; yellow lines indicate shared domain registrant information; and red arrows indicate that malware is known to communicate with the IP addresses they point to.
While we only have visibility into some of the HTTP traffic requests made on the networks of some of our customers, we were able to build up a profile of the typical infected device, based on what we know about how the malware beacons to its command-and-control servers. We’ve determined that at least 224 unique device models (identified by the User-Agent string transmitted in the beaconing request) running a range of Android versions between 4.0.3 and 4.4.4 communicated with the command and control servers since February 22. The fact that some of these devices are known not to be vulnerable specifically to the Hacking Team libxlst exploit means that different exploits may have been used to infect some of these mobile devices.
The ransomware, which labels itself Cyber.Police, resembles several older, pre-cryptographic ransomware families. It presents itself as a sort of law enforcement or intelligence agency intervention into your browsing habits. The purveyor of the scam claims to be the "American national security agency" or “Nation security agency” (sic). The malware was first described in a blog post last December.
The ransomware doesn't threaten to (or actually) encrypt the victim's data. Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes. That's unusual because it's far more common nowadays for ransomware to demand non-trackable cryptocurrency, like Bitcoins. In theory, it might be possible for Apple (or its iTunes gift card partners) to track who used the gift cards provided to the criminals, which may help investigators identify them.
Initially, the infected device displays a plain white screen with an Android icon and the non-sequitur text "Update now. Please read! Do not turn off or reboot your phone during update. Please try again later." At this point, it's still possible to hit the home button and back out of the application, but the damage has already been done. After a delay of several minutes, the ransom demand appears and the app prevents any other software from running.
When we executed the application in Blue Coat's Malware Analysis product, we learned that the malware's internal name for itself is "net.prospectus" and engages in the sorts of behavior we've come to expect from ransomware: It kills all other apps; prevents other apps from launching or stopping the ransomware; sets itself up to be the first thing to start at boot time; profiles the infected device; and communicates with a command-and-control server.
In this iteration of the malware, we found that we were still able to connect the infected device to a computer and copy the unmodified documents, photos, and other files from both the device's internal memory and any additional storage card(s) that may be installed. The malware survived flashing over the operating system with a newer build of Android, but did not persist after a factory reset, which deletes any applications installed by the device's user.
As with other ransomware, the best way to defeat the criminals is to keep a backup of those precious photos, videos, and other data files somewhere other than on your phone or tablet's internal memory or memory card. That way, you can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall your mobile device's apps. Using a more up-to-date browser than the built-in Browser app included with Android 4.x devices is also highly recommended.
Is it even worth mentioning that you should never pay the ransom to these creeps? After all, even the ransomware will itself admonish you to “[r]emember, if somebody asks you to buy a iTunes Gift Card, it is a scam.” Irony, thy name is Dogspectus.
Indicators of compromise:
Advertising networks leveraged in the attack:
Malvertising domains used to refer victims to the attack domains (subject to change):
Ransomware source and C2:
Domains related to the ransomware source or C2 domains or IP addresses:
Towelroot ELF executable (MD5): 8e3e03f44c24fc86de1f6de0e48b81f0
net.prospectus Android APK (MD5): e26710a4e499a797aab62fd0ad7ac19c
(installs itself to the /data/data/net.prospectus/ path in internal storage)
Special thanks to Blue Coat's Waylon Grange and Zimperium's Josh Drake for their analysis of the exploit code, and to Blue Coat's Christian Mills for help searching for evidence of previous attacks and related domains.