Attackers use Hacking Team exploit to drop ransomware

Attackers are actively using an exploit leaked last year from Italian spyware vendor Hacking Team to install ransomware that locks users out of their Android devices, researchers have discovered.

Security vendor Blue Coat and Zimperium analyst Joshua Drake have identified an exploit kit that executes malicious Javascript via booby-trapped advertisements, installing the Cyber.police or Dogspectus ransomware. 

The ransomware, which locks older devices running Android Ice Cream Sandwich, Jelly Bean and Kit Kat versions 4.0.3 to 4.4.4, demands US$200 (A$260), paid in Apple iTunes gift card codes. 

No user interaction is required to install the ransomware, which is a first, Blue Coat researcher Andrew Brandt said.

After de-obfuscating the Javascript, Blue Coat and Drake confirmed that it contains an exploit found in the Hacking Team leak.

The flaw is the "Towelroot" bug in Linux, which was uncovered in 2014. Google patched the bug in Android 4.4.4 but not in older versions of the mobile operating system, leaving just under a quarter of older devices permanently at risk of being infected.

The researchers suggested that users with older Android devices back up the data they wanted to keep outside their devices, to stay safe from ransomware. Furthermore, people should use a more up-to-date web browser than the one included with their Android devices.

Although the Cyber.police ransomware persists after devices have been reflashed with a newer version of Android, the researchers said that a factory reset wipes it off the device. It is also possible to connect ransomware-locked devices to a computer and copy over data that way.