Ransomware Infects Android 4.x

Ransomware Infects Android 4.x and Earlier

Ransomware has been sighted infecting older versions of Android in a Blue Coat lab environment. It was discovered using several vulnerabilities to install the malware silently in the background. The exploits being used are a combination of Towelroot and leaked exploits from the Hacking Team, which was also recently breached.

The ransomware is labeled as Cyber.Police and acts as if a law enforcement agency is locking your phone for illegal activity, similarly to how the RIAA Malware did in 2011. Cyber.Police doesn’t encrypt your data like most Ransomware, but it does hold the device in a locked state and requesting $100 Apple iTunes gift cards, which in comparison is peanuts compared to the exorbitant fees of other malware.

It is believed that the malware was delivered via compromised and hostile Javascript ads. This can be partially mitigated through the use of Ad Blocker or Content Blocker software (apps) Like Kaspersky ADCleaner for iOS. Here is an excerpt from the Blue Coat blog referencing the Javascript:

“After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach. Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the “futex” or “Towelroot” exploit that was first disclosed at the end of 2014.”

The Android versions which appears to be affected are 4.0 through 4.3. These are referred to as their working code name, “Jelly Bean.” Android versions 5.x and 6.x have since been released and are receiving updates, albeit at the mercy of the phone manufacturer (Google, Samsung, HTC, etc.) and/or the cellular carrier. Android 4.4 and higher is “KitKat,” Android 5 is referred to as “Lollipop,” and Android 6 is “Marshmallow”

Our Analysis

It was only a matter of time before outdated mobile operating systems; specifically versions of Android would be targeted much as Windows PCs are. Some users are still using Jelly Bean or KitKat because they have an older device with no capability of upgrade, but Jelly Bean is no longer receiving security updates. Much like Windows XP, the operating system runs great, but it’s a huge security risk and only growing.

Ars Technica suggests that Android 4.4 (KitKat) may have been infected using separate set of exploits, but it has not been established yet. New versions of Android such as 5.x (Lollipop) and 6.x (Marshmallow) seem to be immune to the current exploits. All users should turn on the feature in their security settings to verify apps and prevent installation from unknown sources (PC World). This helps to prevent issues with signed updates and ensures the integrity of the update.

It’s recommended that anytime any of your devices release new versions of the Operating System, vulnerabilities and security updates, you update immediately. Most users are at the mercy of companies such as the phone manufacturer or carrier. Google will release a new version of Android, but these companies will test the new OS and decide when to release it. Some devices can wait an entire year or more before finally being upgraded, if ever.

There are other options as the owner of your phone to obtain newer operating systems for your device, but that requires Rooting and could lead to other dangers for your device such as bricking. Another thing that should be utilize is using another browser like Google Chrome over the default Android Internet app. It will provide more features to help spot malicious content. It is also best to avoid suspicious websites on any device to decrease your chances of becoming a victim.

If your device does get infected with ransomware, it is a decision for you to make in terms of paying. If you can restore from a good backup, do so. If you cannot and you have vital data on your phone that would cause serious irreversible implications for you (and you have the means), pay. Otherwise, you can copy over any important information from your phone to your PC, then factory reset your phone. This will delete everything off of your phone and return it to “Out of the Box”. This should clean out the ransomware and allow you to continue to use your device.

Other APS Posts

Spotify Allegedly Hacked…Again
MedStar Health Cybersecurity Fails to Prevent Attack
Adobe Patches Exploited Vulnerability
Ransomware Locks MBR
Iranian hackers hit with Federal charges
Spear Phishermen Target Corporate W-2 Data
Google Fixes Kernel Vulnerability
4 Things to Know About Ransomware
Ransomware Hits Mac Computers
IRS Targeted in Another Cyberattack

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.


Ars Technica
Blue Coat
PC World



Kaspersky ADCleaner

Enter your email address:

Delivered by FeedBurner

Subscribe to our mailing list

* indicates required

About Scott Entsminger

Scott Entsminger was born and raised in Virginia. He graduated from Radford University with a Bachelor’s of Science in Criminal Justice. Scott has worked for the Department of Defense since graduating college. He is an expert in Windows Administration; with specific experience in Group Policy and vulnerability remediation. He also has specific experience in Information Assurance (IA) and Cyber Security. Scott holds the CompTIA Security+ certification. He is always looking to diversify his skillset. Scott is an avid sports fan, particularly baseball. He also is an avid gamer and enjoys learning different skills involving his PC.