The experts at Blue Coat Labs first spotted the threat after a tablet running CyanogenMod 10 / Android 4.2.2 viewed an advertisement that silently served malicious payloads without any user interaction. The infection occurs when users visit a website that contains tainted JavaScript code. Blue Coat Labs says the malicious code is delivered via malicious ads (malvertising). The malicious code hijacks mobile advertisements to scam gift cards, it locks the device in a state that allows only victims to make payment. Security researchers from Zimperium have confirmed that the malicious code contained an exploit leaked last year in the Hacking Team data breach. The attack is very sophisticated and signifies the evolution of the classic malvertising attack, as explained below by Andrew Brandt from Blue Coat. “This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that normally comes before the installation of an Android application.” wrote Brandt. After further analysis with the help of from researchers at Zimperium revealed that the exploit leverages a susceptibility in the libxslt Android library that allows attackers to download a Linux ELF binary called module.so on the device. This binary uses the Android exploit known as Towelroot to get root privileges on the device. The tool was released in 2014 by the popular hacker George Hotz, it is able to root Android devices exploiting a known Linux flaw (CVE-2014-3153). Once root access is confirmed, module.so will also download an additional Android APK (Android Application Package), which contains the ransomware code. The attacker can then silently install the ransomware with root access in hand and without prompting the user for any permission. The name of this ransomware trojan is Dogspectus or Cyber.Police and was first detected back in December 2014. Compared to desktop-based ransomware that encrypts files, this application does not encrypt user files. Instead, it displays a fake warning, allegedly from law enforcement agencies, saying illegal activity was detected on the device and the owner needs to pay a fine. Blue Coat Labs says that infected victims send unencrypted traffic from their device to a central command and control server. The company was able to track traffic coming from 224 different Android device models (tablets, smartphones), using Android versions between 4.0.3 and 4.4.4. The lowest officially supported version of Android is 4.4.4, which means that the attackers are targeting users who have failed or cannot upgrade their devices. “The fact that some of these devices are known not to be vulnerable specifically to the Hacking Team libxlst exploit means that different exploits may have been used to infect some of these [other] mobile devices,” notes Brandt. “The ransomware doesn’t threaten to (or actually) encrypt the victim’s data. Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes,” Brandt wrote in a research note. Victims who opt to pay the ransom to unlock their phone are directed to pay a “fine” between $100 and $200 to a “treasury account” via submitting an iTunes gift card codes. However, Brandt said the easiest and most effective way to remove the ransomware is to restore the Android device to its original factory default software. So, in the event you find yourself infected with the Dogspectus Android ransomware, it is suggested that you connect the device to your PC and copy personal data to your computer before opting for a factory reset. Also, it is always recommended to upgrade the device to the latest Android version, as newer versions of the OS include vulnerability patches and other security improvements. Further, the users should restrict their Web browsing activities on the device, once it goes out of support and no longer receives any updates. Similarly, on older devices, instead of using the default Android Browser, they should install a browser like Chrome.