A new drive-by attack is making the rounds online and infecting older Android devices without the users’ knowledge or input. While the malware distributed could be described as “mild”, the attack nonetheless signifies a change for the worse in the way Android devices are targeted and malicious payloads delivered.
Security researchers at Blue Coat Systems discovered the attack that’s targeting Android devices using versions of the operating system up to and including version 4.3. That version came out almost three years ago, but 4.3 and earlier releases of Android are still being used by 21% of devices, according to Google’s own numbers. There’s reason to believe that Android 4.4 is also vulnerable to infection, albeit via a different set of exploits, making more than half of Android devices vulnerable.
What’s different and worrying about this latest threat is that, unlike other malware which required users to download malicious apps or give permissions, this is a “drive-by attack” where the device gets broken into just by displaying a webpage. Right now, it seems this attack is being served by ads on some porn sites.
The attack combines different publicly known vulnerabilities found in Android, including a “Towelroot” exploit to get root access to the system. After that, it installs a ransomware app that disables most of a device’s functions and instructs the users to send money via iTunes gift cards.
Luckily, while the attack itself seems to be sophisticated and use exploit code leaked last year from the Hacking Team, the payload it delivers is rudimentary and can be relatively easy to get rid of. Unlike other malware that’s become popular, this isn’t cryptoware, so user files don’t get encrypted.
However, this is still a worrying sign, not only because of the ease with which the malware can get on systems, but also because of the large number of devices vulnerable, and the fact that these devices are likely to never get upgraded.
Once again, the recommendation to stay up to date and avoid dodgy websites remains a good piece of advice, but in the face of such exploits there’s little users can do besides purchase newer devices.
Source: Blue Coat Systems via: Ars Technica