A new breed of Android malware that automatically downloads malicious apps was uncovered by security researchers after it attacked one of their company's test devices.
The exploit kit, which is the first stage of the attack, is delivered via a malicious ad on a website (also known as malvertising) that contains hostile Javascript, according to security firm Blue Coat.
The kit then installs ransomware masquerading as an app onto the Android device.
This ransomware executes automatically at a time of the malware author's choosing. When executed, it poses as a message from fake law enforcement agency Cyber.Police, with the seals of the FBI and NSA also displayed to give it an additional level of credibility.
This veneer of credibility is almost immediately undermined, however, as it demands payment in iTunes gift cards.
The malware itself is in fact quite crude - rather than encrypting the whole device and all the files contained on it, as most modern ransomware does, it instead simply locks it.
While quite old fashioned in this respect, Blue Coat researcher Andrew Brandt said this was the first time "an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim".
"During the attack, the device did not display the normal 'application permissions' dialog box that typically precedes installation of an Android application," he said in a blog post.
In consultation with another researcher, Joshua Drake of Zimperium, it was determined that the malicious Javascript used at the beginning of the attack "contains an exploit against libxslt that was leaked during the Hacking Team breach".
"The commoditised implementation of the Hacking Team ... exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences," said Brandt.
"The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity. That includes so-called media player devices - basically inexpensive, Android-driven video playback devices meant to be connected to TVs - many of which run the 4.x branch of the Android OS," he added.
While there is little a user can do to protect against the attack if they are unable to upgrade from a vulnerable operating system, they can take mitigating steps by regularly backing up their device.
That way, if they are attacked by this malware or others, they can reset the device to factory default and restore from backup without losing very much or any data.
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
