Dogspectus: Android ransomware silently installs, demands $200 iTunes gift card ransom

Dogspectus is a ransomware that silently installs on Android devices, via malvertising and a Hacking Team exploit, then demands a ransom of $200 in iTunes gift cards.

Dogspectus ransomware for Android
Credit: Blue Coat Labs

Sure, a lot of people love music, movies, e-books and new apps, but the person behind the ransomware “Dogspectus” has taken it to the extreme of locking Android devices and demanding $200 in iTunes gifts cards to unlock each phone or tablet. Victims don’t even have to do something that might be considered security-stupid, such as accept new app install permissions, to wind up with an infected device; the “ransomware” is delivered via malicious ads and installs “silently in the background.”

How can that be? Say thanks once again to the flipping Hacking Team as Dogspectus uses a previously leaked Hacking Team exploit to deliver “Towelroot” which then installs the ransomware.

According to Blue Coat Labs researcher Andrew Brandt, “This is the first time, to my knowledge, an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim.” The firm discovered the new malware attack after analyzing an Android that “was hit with the ransomware when an advertisement containing hostile Javascript loaded from a webpage.”

Not only is the ransom demand unusual, the ransomware itself is, since it doesn’t encrypt the device. It simply locks it so the Android can’t be used for anything other than meeting the demands of two $100 iTunes cards to unlock it. Hopefully Apple can track who used the extorted iTunes cards back to the person or persons behind this attack. Of course, there is the possibility that the gift cards are being sold instead of cashed in by the attacker.

CyberPolice ransom screen Blue Coat Labs

If your device is infected, and it doesn't need to be rooted to get infected, you’ll see a “ransom” screen from the “Cyber.Police” pretending to be from some nosy law enforcement agency spying on your web browsing habits. To unlock your device, the attacker demands that you send two $100 iTunes cards or four $50 gift cards.

Dogspectus iTune card ransom Blue Coat Labs Blue Coat Labs

Androids running Lollipop (5.x) or Marshmallow (6.x) are not currently affected, but as you can see by the April 2016 Android platform distribution numbers, there are more devices (59.6%) running vulnerable platforms than are not. Telling you to update is well and fine, but if you have an older phone then a newer platform may not be supported and your device may stay susceptible to the attack.

Android platform distribution numbers for April 2016 Android Developers

In other words, as Brandt wrote:

The commoditized implementation of the Hacking Team and Towelroot exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences. The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity. That includes so-called media player devices -- basically inexpensive, Android-driven video playback devices meant to be connected to TVs -- many of which run the 4.x branch of the Android OS. Some of these older Android devices are now in the same situation as PCs running Windows XP: The OS may still work, despite no longer receiving updates, but using it constitutes a serious risk of infection.  

Ironically, when the ransom message mentions “approved Apple partners and Nation Security agency” – the better to help you find the demanded iTunes cards – the attacker warns about iTune gift card scams and to avoid becoming a victim of fraud. Brandt explained, “Even the ransomware will itself admonish you to “’[r]emember, if somebody asks you to buy a iTunes Gift Card, it is a scam.’ Irony, thy name is Dogspectus.”

Although the attacks apparently started in February or earlier, Blue Coat reported that some of the domains used in the attack are less than a month old. Some of the infected devices are not supposed to be vulnerable to the Hacking Team exploit, so the researchers suggested different exploits may have been used.

As is always the case, the best bet is to have a recent backup of your data. In fact, Blue Coat said you can sidestep the ransom by performing a factory reset. If you have a backup, then you don’t lose everything near-and-dear to you permanently. It would be ludicrous to give in to this ransomware demand. Consider using an ad blocker on your mobile device to stop tracking as well as to avoid becoming a victim of malvertising.

The march toward exascale computers
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies