Security and networking company Blue Coat has discovered a new piece of ransomware that can silently attack an Android phone without any user interaction. Unlike other Android malware, which is installed through infected apps, this new malware can be automatically installed by simply visiting an infected site, in this case - an unspecified adult site.

According to Blue Coat, this is the first time an exploit pack has been successfully used to infect a mobile device without requiring any action from the user. Devices that get hit with the malware do not display the "application permissions" dialog box, which would normally appear prior to installation of an Android application. Instead, the phone is placed into a lock state and a ransom dialogue is displayed. Infected users will be presented with a dialogue box that says their device has been blocked and functionality can be restored by paying a fine to the authorities in the form of iTunes gift cards.

Analysts at Zimperium found that the malware is installed on the device through an exploit in libxslt. The exploit uses an infected ad to run javascript code to give the malware root access. With root access, the full infected app is downloaded to the device silently in the background. Unlike traditional ransomware that have been reported previously, this malware does not destroy or encrypt user data for ransom.

This malware is unique in that it uses two exploits previously published by Towelroot and Hacking Team to deliver its payload. This might have far-reaching consequences for the Android operating systems security especially with older versions.

One of Android's biggest criticisms is the fragmentation found in its hardware. With the hardware manufacturers and phone companies responsible for deploying OS updates, many Android devices in the market today are running older OS versions which may be vulnerable. In contrast, when iOS is updated, most iPhone users migrate quickly to the new version. In a recent report by OpenSignal in August 2015, 85 percent of users were running iOS 8 while only 15 percent were running older versions. In comparison, 18.1 percent of Android users were running Lollipop (the latest version at that time), 39.3 percent were running Kitkat, 33.6 were running Jelly Bean, while 9 percent were running even older versions of the operating system.

It is interesting to note that the ransomware is asking for iTunes gift cards instead of the traditional cryptocurrency. This presents authorities with the possible avenue of investigation by contacting Apple to trace the funds. Affected users, however, should not pay the ransom as they can remove the malware by using the factory reset option.

The full details of the malware are yet to be released by Blue Coat, but experts suggest that users always keep important data backed up to an external device or the cloud and remain vigilant.

ⓒ 2021 All rights reserved. Do not reproduce without permission.