While Google continually works hard in order to make each version of their Android operating system more and more secure, users of older versions of Android are still left vulnerable to attack. It has been discovered that attackers have been making use of two known exploits that exist on older versions of Android in order to install malware when the user visits a website containing a malicious advert.
Researchers from Blue Coat Systems were responsible for detecting the new use of these exploits recently when one of their test devices, a Samsung tablet running CyanogenMod 10.1 based on Android 4.2.2, was struck with a drive-by download that installed a piece of ransomware after visiting a website with a malicious advert. On closer analysis by a team from Zimperium, it was found that the advert in question contained JavaScript code that was capable of leveraging an exploit in libxslt which was one of the vulnerabilities leaked last year from Hacking Team.
If the advert is successful in executing its code, it deposits an ELF executable named module.so that makes use of another exploit known as Towelroot in order to gain root access to the device. Towelroot is then capable of downloading and silently installing a ransomware-infected APK file such as Dogspectus or Cyber.Police. While these apps don’t encrypt user files on the device, they instead bring up warnings stating that illegal activity has been detected on the device and the user must pay a fine. The device is then blocked from performing any other activities until the fee is paid or the device is factory reset.
“This is the first time, to my knowledge, an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim,” Andrew Brandt, director of threat research at Blue Coat, said in a blog post. “During the attack, the device did not display the normal ‘application permissions’ dialog box that typically precedes installation of an Android application.”
It is always recommended to upgrade Android in order to avoid these kinds of security threats, however, even if this is not an option, installing other apps such as up-to-date web browsing apps can allow a user to be protected from these kinds of drive-by downloads.
