Encryption as an automated extortion weapon finds its way to mobile

It's not just mobile device vulnerabilities that malicious actors are exploiting now, but deficiencies in the cloud.

When the whole HTML5 project began several years ago, it was with the promise of endowing Web browsers with enough native, open source technology that they could stop relying on plug-ins for rendering functional applications. Today, while modern browsers already have those promised capabilities, and more users than expected have upgraded to modern browsers, the server side of the Web has been reluctant to keep pace.

Through rendering plug-ins such as Adobe Flash and now Microsoft Silverlight, as well as through stand-alone runtimes Oracle Java, malicious actors are still finding a way around the file system security native to operating systems--or, in the case of Android, they're continuing to find such security under construction.

Last Wednesday, researchers with security software maker ESET reported the discovery in May of a permutation of a fake antivirus screen that, on Android devices, trips the download and stealth execution of malware that encrypts the user's private documents and media. Like the ransomware for Windows-based PCs that first made its rounds last November, this latest version dubbed Simplocker, reports ESET's Robert Lipovsky, scans the phone's SD card for file types that denote pictures, encrypts those files (though perhaps with not as strong encryption as advertised) and presents a lock screen demanding payment through an online cash transfer service.

To maintain the malware server's anonymity, it uses Tor, a non-malicious community of bridges that obfuscates the routes that packets take through the IP network. Ostensibly, Tor's purpose is to enable users in countries with IP address-based censors to access uncensored content.

The malware industry collects its revenue through the distribution of automated extortion systems such as Simplocker that individuals can deploy through public cloud services. The FBI filed charges last week against one Evgeniy Bogachev for running one of these extortion businesses, distributing cryptographic malware dubbed Cryptolocker.

Yet ESET's forensic analysis of this latest strain revealed a fairly basic encryption process in place, leading its researchers to believe that Simplocker is essentially a proof of concept, or work in progress.

ESET's report was followed up the following day by a new analysis of a probable offshoot of Cryptolocker, by Cisco's Cloud Web Security team. CWS blocks access to suspicious addresses, and Cisco's Andrew Tsonchev reports his team has found itself blocking heavy volumes of suspicious traffic last May 16 to some 90 domains, from as many as 17 percent of its customers.

In the most complete picture yet of the exchange of hats, if you will, between malware and security, small groups of consultants have taken to publicly reporting vulnerabilities they find in malware through extensive hacking. Last February, one group was able to track deficiencies in crypto-malware, and generate a Python script capable of unencrypting maliciously locked files.

Throughout this entire sorry state of affairs, we're missing some critical facts that should (if we were awake) be compelling us to rethink our approach to remote computing:

  1. Evidently crypto-malware skates right past not only the device's native file system, but any mobile device management that may be deployed there. While for years MDM vendors have said that implementing mobile encryption, though feasible, is difficult, clearly some snot-nosed kid on the other side of the planet can do it remotely using a game box, a subscription to Amazon AWS or the like and his dad's credit card.
  2. Smartphone users pay less attention and care to their mobile browsers than they do their PC browsers. So while they're getting smarter as to the nature and appearance of fake antivirus in Windows, when an "malvert" ad shows up pretending to be antivirus on the phone, people are too eager to tap OK.
  3. Placing the onus for solving this dilemma entirely on the device user is both unfair and irresponsible. The key delivery mechanisms for these Flash, Silverlight and Java "malverts" are advertising networks for everyday websites. Legitimate Web publishers whose business models rely on the deployment of "fire-and-forget" ad systems that build revenue for them in the background, who pay no attention to the damage being caused using those systems, should consider whether at some near-future date they may be held liable for that damage along with Bogachev.

For more:
- see the US-CERT release from last November on Cryptolocker
- read the article on Simplocker
- see the FBI charges against Evgeniy Bogachev
- see the Cisco statement on the RIG exploit kit
- read this blog from last February on crypto-malware

More on malware:
New malware encrypts Android devices for ransom [FierceCIO:TechWatch]
CryptoDefense ransomware leaves copy of encryption key by mistake [FierceCIO:TechWatch]
Criminal interest in ransomware likely to remain strong in 2014 [FierceCIO:TechWatch]