SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
26 Apr 2016

Active drive-by exploits critical Android bugs, care of Hacking Team

An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people.

The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones.

The exploit code appears to borrow heavily from, if not copy outright, some of these Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities. It's the first time—or at least one of only a handful of times—Android vulnerabilities have been exploited in real-world drive-by attacks.

For years, most Android malware has spread by social engineering campaigns that trick a user into installing a malicious app posing as something useful and benign. The drive-by attack—which has been active for at least the past 60 days and was discovered by security firm Blue Coat Systems—is notable because it's completely stealthy and requires no user interaction. The company's findings have been published here.

"This looks like a decently sophisticated attack," said Joshua Drake, vice president for platform research and exploitation at Zimperium. "This attack is powerful because it leverages vulnerabilities in software that's installed by default to surreptitiously take full control of a victim's device. As far as I am aware, this attack represents the first in-the-wild drive-by-download attack that exploits a chain of vulnerabilities to target Android users. While this attack uses older vulnerabilities, it represents a change in the tactics used by malicious actors in the Android space."

Drake's assessment was based on his review of code that was delivered when a Samsung tablet running Android 4.2.2 in Blue Coat's lab was infected after viewing a malicious ad delivered over a porn site. Data from Blue Coat logs indicates that at least 224 Android devices running Android 4.x, including 4.4, may have been infected. The handsets were connected to 77 different enterprise networks protected by a Blue Coat security service, so the data likely reflects only a tiny fraction of the total number of infections on the Internet at large.

Once the vulnerable Blue Coat tablet visited the booby-trapped webpage, the device was surreptitiously infected with a piece of ransomware called Cyber.Police. The app has been circulating since at least December and threatens legal action for viewing illegal porn unless users pay a fine in the form of one or more $100 Apple iTunes gift cards.

The malicious app puts infected devices into a locked state that prevents them from making or receiving calls or being used for other purposes. The only way Blue Coat researcher Andy Brandt was able to remove the app was to perform a factory reset, but Web searches indicate there may be easier methods involving booting the infected device into safe mode.

During the infection, Brandt captured the traffic that passed between the tablet and the booby-trapped webpage it visited. He provided all of it to Drake for a deeper inspection. Drake's analysis found that when deobfuscated, the JavaScript served in the attack appeared to be almost identical to this exploit code leaked from the Hacking Team breach. The Hacking Team JavaScript forces vulnerable Android devices to download and execute any file of an attacker's choosing. The Executable and Linkable Format file served to Brandt's tablet exploited the Towelroot vulnerability and then executed an Android APK that installed the malicious Cyber.Police app.

The attack used the newly gained root privileges to suppress the usual application permissions dialog that's supposed to precede installation of an Android app. It also used the elevated privileges to shut down other apps and OS functions and effectively lock the phone.

Towelroot has its genesis in the Linux kernel futex local privilege escalation bug (aka CVE-2014-3153), a bug in the Linux kernel discovered by Comex, a hacker who under the pseudonym Pinkie Pie has also exploited a variety of high-severity vulnerabilities in the Chrome browser. The futex bug allowed unprivileged users or processes to gain unfettered root access rights. Within days fellow hacker George "GeoHot" Hotz had a way Android users could exploit the bug to root their phones to make them do things Google, the hardware manufacturer, or the carrier forbid. Google plugged the Towelroot hole in version 4.4, a version that almost 25 percent of the Android user base has never received.

Crude, yes, but still worth watching

The proficiency of the exploit is in stark contrast to the malicious app itself. Cyber.Police harkens back to an earlier time when ransomware made only vague threats and mostly used easily defeated locking techniques. Unlike newer crypto ransomware, the app doesn't encrypt files. The use of iTunes gift cards to receive payment is another feature that appears crude when compared with the more current trend of demanding payment in Bitcoin, which is much harder for authorities to trace.

There are other limitations to the attack. For one, even if it uses a separate set of exploits to infect devices running Android 4.4—something that may be possible but has not yet been established—later Android versions are immune. What's more, all indications so far are that the attacks are spreading only on porn sites and don't affect mainstream Web properties.

Despite the limitations, there are several reasons the attacks represent a threat that's worth watching. For one, by Google's own figures, about 23.5 percent of all Android devices remain vulnerable to the attacks, and if Blue Coat version 4.4 users are indeed susceptible as Blue Coat suspects, the percentage jumps to almost 57 percent. Remember, too, that a sizeable portion of vulnerable handsets will never receive an update.

More broadly, the campaign illustrates that drive-by attacks targeting Android users can be a viable means of infecting people. If criminals can chain together two or more publicly available exploits to install a two-bit ransomware app, there's no doubt the same technique can be used again, possibly against a wider base of users to install something much more nefarious.

Tags:
Android information leaks
Source:
Ars Technica
2244
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015