A new breed of Android malware that automatically downloads malicious apps was uncovered by security researchers after it attacked one of their company's test devices.
The exploit kit, which is the first stage of the attack, is delivered via a malicious ad on a website (also known as malvertising) that contains hostile Javascript, according to security firm Blue Coat.
The kit then installs ransomware masquerading as an app onto the Android device.
This ransomware executes automatically at a time of the malware author's choosing. When executed, it poses as a message from fake law enforcement agency Cyber.Police, with the seals of the FBI and NSA also displayed to give it an additional level of credibility.
This veneer of credibility is almost immediately undermined, however, as it demands payment in iTunes gift cards.
The malware itself is in fact quite crude - rather than encrypting the whole device and all the files contained on it, as most modern ransomware does, it instead simply locks it.
While quite old fashioned in this respect, Blue Coat researcher Andrew Brandt said this was the first time "an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim".
"During the attack, the device did not display the normal 'application permissions' dialog box that typically precedes installation of an Android application," he said in a blog post.
In consultation with another researcher, Joshua Drake of Zimperium, it was determined that the malicious Javascript used at the beginning of the attack "contains an exploit against libxslt that was leaked during the Hacking Team breach".
"The commoditised implementation of the Hacking Team ... exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences," said Brandt.
"The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity. That includes so-called media player devices - basically inexpensive, Android-driven video playback devices meant to be connected to TVs - many of which run the 4.x branch of the Android OS," he added.
While there is little a user can do to protect against the attack if they are unable to upgrade from a vulnerable operating system, they can take mitigating steps by regularly backing up their device.
That way, if they are attacked by this malware or others, they can reset the device to factory default and restore from backup without losing very much or any data.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
