New Android Ransomware Can Infect Phone—and Lock it—Without Any User Knowledge

While Google has seemed to hit its stride, again, with its latest Android OS Marshmallow update, there be a snag that adds a little turbulence on this continuous climb.  The security and networking company Blue Coat has recently discovered a new piece of mobile ransomware that can creep into an Android phone without the user’s knowledge; and, in fact, without the user noticing at all.

This is very different from other Android malware because previous those known forms tend to install through infected apps that you download from third-parties or through the mobile web.  Blue Coat found, though, that this most recent malware can be installed just be visiting an infected site. While they have not specified which site—perhaps they are not certain—they allude that the infected site is likely an adult site.

Android RansomwareBlue Coat reports this is the first time an exploit like this has ever been found to successfully install itself without any interaction with the user. Typically, software like this requires the user to, at the very least, click a box in a pop-up window (or something like that).  Blue Coat adds that those devices which are hit with this particular attack do not display the typical “application permissions” dialog box which normally accompanies the installation of any software—which you can often work around.

Instead of this usual avenue, the new ransomware simply installs itself onto the device and locks it, displaying a standard ransom message.  A dialog box appears indicating that the device is locked and functionality can only be restored after paying a fine to authorities; in this case, though, the fine is an iTunes gift card.

Of course, this is very similar to ransom ware you might find on your computer which prevents you from using an internet browser unless you pay a fee for “virus scan” (etc).

“This looks like a decently sophisticated attack,” explains Joshua Drake, who is the vice president for platform research and exploitation at Zimperium. He adds, “This attack is powerful because it leverages vulnerabilities in software that’s installed by default to surreptitiously take full control of a victim’s device. As far as I am aware, this attack represents the first in-the-wild drive-by-download attack that exploits a chain of vulnerabilities to target Android users. While this attack uses older vulnerabilities, it represents a change in the tactics used by malicious actors in the Android space.”