Beware: Android 4.x Ransomware Attacks

A menacing wave of ransomware that locks up Android devices and demands victims pay $200 in Apple iTunes gift card codes is raising concern among security researchers. The ransomware attacks, they say, open a new chapter for Android vulnerabilities similar to Microsoft’s obsolete, unpatched and unsupported Windows XP operating system.

“This is a new and troubling development for the Android OS. This ransomware thrives on outdated Android devices that are not patched and will likely never be,” said Andrew Brandt, researcher at Blue Coat and the analyst who discovered the vulnerability.

He said the ransomware attacks Android 4.x operating systems, predominantly used in 2012 to 2013. That version of the Android OS is still in use by approximately 60 percent of Android devices around the world, according to Google’s own internal estimates. And just as Microsoft stopped patching Windows XP, Google is highly unlikely to patch a 5-year-old OS, Brandt said. “What we have here is a fully operational operating system which no longer receives updates,”Brandt said. “Users are in danger of infection just by using it. Having things installed without any user interaction until it’s too late is a pretty scary new development in Android threats,” Brandt said. Brandt told Threatpost that the ransomware utilizes a three-prong attack. First, it uses the drive-by lbxslt exploit embedded in ads to penetrate users of the Android versions 4.0.3 and 4.4.4’s default browsers. So far, the malicious ads are targeting adult content websites.
The lbxslt exploit  was stolen from Hacking Team in July of last year. But Brandt said, the authors appear to be using an updated version of lbxslt that infects a larger range of Android 4.x OS devices compared to earlier versions.  “All installs are silent and in the background,” he said. Under that cloak of indiscernibility, criminals use the compromised Android machines to download the ransomware called Cyber.Police.

This is non-crypto ransomware that displays a note that vaguely looks like an official warning targeting visitors of adult websites stating: “All actions are illegal, are fixed. History query stored in the database of the U.S. Department of Homeland Security.”  Attackers claim to be either “American national security agency” or “nation security agency”. “The ransomware doesn’t threaten to (or actually) encrypt the victim’s data.  Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes,” Brandt wrote in a research note. Victims who opt to pay the ransom to unlock their phone are directed to pay a “fine” between $100 and $200 to a “treasury account” via submitting an iTunes gift card codes. Use of iTunes gift cards for ransomware payments is unusual given Bitcoin payments have been preferred untraceable forms of payment for crypto-ransomware attackers for over a year now.

Brandt said the easiest and most effective way to remove the ransomware is to restore the Android device to its original factory default software.  The best way to mitigate this vulnerability is to use a device that runs a more recent version of Android than the Android 4 family of operating systems, Nguyen said.

Blue Coat recommends  keeping a fresh device backup somewhere other than on your phone or tablet’s internal memory or memory card. “That way, you can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall your mobile device’s apps,” Brandt said.

See the Original Article Here