A new malware type has been spotted in the wild that features a couple of original moves not seen yet by researchers; it is self installing and the cybercriminals require that the ransom be paid in iTunes gift cards.
Researchers at Blue Coat said the cybercriminals are using ELF, aka Towelroot, exploits along with some tools from the leaked Hacking Team exploit-kit inventory to spread Dogspectus ransomware. The download is achieved through malicious ads that are served onto the device through a series of redirections that usually start with a malvertising ad call, said Blue Coat researcher Andrew Brandt to SCMagazine.com in an email Tuesday.
What happens next caught Brandt by surprise. Instead of showing the usual “application permissions” dialog box that spurs the victim to act and thus download the malware, this malware simply installs itself.
“This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim,” Brandt wrote
Brandt noted that devices running newer versions of Chrome, downloaded properly from the Play market, do not appear vulnerable, while those running out of date 4.x variants are susceptible. Blue Coat is continuing its research to see if the malware successfully infects newer versions of Android.
The attacks are believed to have begun in February.
Once installed and ready to act the ransomware displays an iTunes graphic claiming the device has been locked by a supposed law enforcement group such as the “America national security agency” or “Nation security agency” with the demand for $200 to be paid using iTunes gift cards.
The device is not encrypted, just locked, and if connected to a computer photos, music and other files can be removed.
“Use of iTunes gift card codes is extremely unusual. Early ransomware asked for money transfers via Western Union moneygram, then they all switched over to Bitcoin. This is the first ransomware I've seen that asks for this specific type of gift card to be used for payment,” Brandt said.
