Sure, a lot of people love music, movies, e-books and new apps, but the person behind the ransomware “Dogspectus” has taken it to the extreme of locking Android devices and demanding $200 in iTunes gifts cards to unlock each phone or tablet. Victims don’t even have to do something that might be considered security-stupid, such as accept new app install permissions, to wind up with an infected device; the “ransomware” is delivered via malicious ads and installs “silently in the background.”
How can that be? Say thanks once again to the flipping Hacking Team as Dogspectus uses a previously leaked Hacking Team exploit to deliver “Towelroot” which then installs the ransomware.
Not only is the ransom demand unusual, the ransomware itself is, since it doesn’t encrypt the device. It simply locks it so the Android can’t be used for anything other than meeting the demands of two $100 iTunes cards to unlock it. Hopefully Apple can track who used the extorted iTunes cards back to the person or persons behind this attack. Of course, there is the possibility that the gift cards are being sold instead of cashed in by the attacker.
If your device is infected, and it doesn't need to be rooted to get infected, you’ll see a “ransom” screen from the “Cyber.Police” pretending to be from some nosy law enforcement agency spying on your web browsing habits. To unlock your device, the attacker demands that you send two $100 iTunes cards or four $50 gift cards.
Androids running Lollipop (5.x) or Marshmallow (6.x) are not currently affected, but as you can see by the April 2016 Android platform distribution numbers, there are more devices (59.6%) running vulnerable platforms than are not. Telling you to update is well and fine, but if you have an older phone then a newer platform may not be supported and your device may stay susceptible to the attack.
In other words, as Brandt wrote:
The commoditized implementation of the Hacking Team and Towelroot exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences. The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity. That includes so-called media player devices -- basically inexpensive, Android-driven video playback devices meant to be connected to TVs -- many of which run the 4.x branch of the Android OS. Some of these older Android devices are now in the same situation as PCs running Windows XP: The OS may still work, despite no longer receiving updates, but using it constitutes a serious risk of infection.
Ironically, when the ransom message mentions “approved Apple partners and Nation Security agency” – the better to help you find the demanded iTunes cards – the attacker warns about iTune gift card scams and to avoid becoming a victim of fraud. Brandt explained, “Even the ransomware will itself admonish you to “’[r]emember, if somebody asks you to buy a iTunes Gift Card, it is a scam.’ Irony, thy name is Dogspectus.”
Although the attacks apparently started in February or earlier, Blue Coat reported that some of the domains used in the attack are less than a month old. Some of the infected devices are not supposed to be vulnerable to the Hacking Team exploit, so the researchers suggested different exploits may have been used.
As is always the case, the best bet is to have a recent backup of your data. In fact, Blue Coat said you can sidestep the ransom by performing a factory reset. If you have a backup, then you don’t lose everything near-and-dear to you permanently. It would be ludicrous to give in to this ransomware demand. Consider using an ad blocker on your mobile device to stop tracking as well as to avoid becoming a victim of malvertising.