The other day I mentioned that Android users may be less susceptible to security flaws in older hardware because they tend not to engage in the sort of risky behavior that can entrap less wary desktop PC users. However, I might have spoken too soon.
Ars Technica reports that a security research firm has happened upon a “drive-by attack”—a hacking attack that happens without the user engaging in nominally risky behavior—that is being used to lock up devices running older versions of Android and demand iTunes gift cards in exchange for unlocking them.
The attack exploits the infamous “Towelroot” exploit present in Android 4.0 through 4.3, which has also been used by device owners to root their Android devices—and it’s possible that the same attack is also being used against 4.4 devices using a different exploit.
The attack happens when a user visits a malicious web site, which infects the device with a ransomware app called Cyber.Police. This app locks up the phone so it can’t make or receive calls or do anything else until a ransom is paid in the form of one or more $100 iTunes gift cards. It apparently uses code leaked during a recent hack and leak of material from Hacking Team, an Italian black-hat cybersecurity firm that specializes in aiding oppressive regimes.
So far, the attack only seems to be spreading via porn sites, the viewing of which could be considered to be its own form of risky behavior. Still, it’s worth keeping an eye on—not least because hundreds of millions of devices are still vulnerable to the attack, and possibly even more if they have an Android 4.4 exploit as well.
And the next person to come up with such an attack could very well do something even more harmful than just locking up your phone and demanding a ransom. Many people use banking apps and keep other important financial information on their phones.
For the time being, the wisest advice is probably just not to visit porn sites from your phone, especially if you’re running an older version of Android. It would also be a good idea to upgrade to a newer version, if you can, and just use older devices for less risky behavior like reading e-books. Meanwhile, hopefully more OEMs and phone companies are starting to get the idea that it would be good if they could be more proactive about enabling periodical Android security patches.