BEC attacks are on the rise, but plain-old spoofing of business executives’ email accounts remains more prevalent.
The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.
However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom. Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.
Lookout found this attack in the wild last month, along with several related websites used in the campaign, discovered the root cause, and shared the details with Apple. As part of the iOS 10.3 patch released today, Apple closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app. We are publishing these details about the campaign upon the release of iOS 10.3.
An attack like this highlights the importance of ensuring your mobile device, or your employees’ mobile devices, are running up-to-date software. Left unpatched, bugs like this can unnecessarily alarm people and impact productivity.
This attack was initially reported to Lookout’s Support desk by one of our users running iOS 10.2. The user reported that he had lost control of Safari after visiting a website and was no longer able to use the browser. The user provided a screenshot (below) showing a ransomware message from pay-police[.]com, with an overlaid “Cannot Open Page” dialog from Safari. Each time he tapped “OK” he would be prompted to tap “OK” again, effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser.
The user reported seeing the “Your device has been locked…” or “…you have to pay the fine of 100 pounds with an iTunes pre-paid card” messages and was no longer able to use the browser.
Abuse of pop-ups in Mobile Safari
The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “locked” out from using Safari unless they paid a fee — or knew they could simply clear Safari’s cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.
The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money. Examples range from pornography to music-oriented websites.
The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk.
The attack, based on its code, seems to have been developed for older versions of iOS, such as iOS 8. However, the abuse of pop-ups in Mobile Safari was still possible until iOS 10.3. An endless loop of pop-ups effectively locks up the browser, which prevents the victim from using Safari, unless she resets the browser’s cache. iOS 10.3 doesn’t lock the entire browser up with these pop-ups, rather it runs on a per-tab basis so that if one tab is misbehaving, the user can close it out and/or move to another one.
Before the iOS 10.3 fix was available, the victim could regain access without paying any money. Lookout determined the best course of immediate action for the user who initially reported it was to clear the Safari cache to regain control of the browser. (Settings > Safari > Clear History and Website Data) Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated.
To clear browser history on iOS: Settings > Safari > Clear History and Website Data
Preventing the attack
Individuals are strongly encouraged to protect their iOS devices against this attack and take advantage of a number of other security patches that Apple made available in iOS 10.3. See https://support.apple.com/en-us/HT207617 for details. Lookout users will be prompted to update their operating system to 10.3 if they have not already done so.
Investigation into the campaign
“saved from url=(0070)http://apple-ios-front.gq/29300000/index.php?DATARE=Vylet%3A30_15%3A29”
“’Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4’”
The code on this page also runs the following script before executing the obfuscated code:
The group involved in this campaign has purchased a large number of domains that try to catch users that are seeking controversial content on the internet and coerce them into paying a ransom to them.
Each site would serve up a different message based on the country code identifier. The sites, presumably, are used to target users visiting from different parts of the world. Each message has a separate email address for the target to contact, which appear to be country-specific and part of a wider phishing campaign.
The phishing domains and email addresses for each payload:
- U.S.: us.html networksafetydept@usa[.]com
- Ireland: ie.html justicedept@irelandmail[.]com
- UK: gb.html cybercrimegov@europe[.]com
- Australia: au.html federaljustice@australiamail[.]com
- New Zealand: nz.html cybercrimegov@post[.]com
Lookout researchers continue to monitor this and other related campaigns, as well as work with platform providers to address security concerns as they arise.
The FBI warns medical and dental organizations of cybercriminals targeting anonymous FTP servers to steal personal health data.
Exec at Symantec spells out what company will do if Google follows through on its proposed plans to degrade trust in Symantec certs.
BLU manufactured mobile devices have been discovered with preinstalled adware known as Android/Adware.YeMobi.
Behavior of YeMobi
The incriminating behavior of adware YeMobi is its ability to launch the default browser on a mobile device and use it to display ads. There is an unusual element to this as well—it only displays ads while the Google Play store app is running. As seen in the code below, if com.android.vending (the Google Play store app) is active, activity MessageLoadDetail is loaded. Activity MessageLoadDetail then goes onto to display ads.
The rise of preinstalled malware
Buying a new phone only to find it comes preinstalled with adware or even more dangerous malware is frustrating. Trust us, it’s just as frustrating not being able to remove these apps for our customers.
With the ease of selling online, Android devices re-imaged with custom ROMs(“Read-Only Memory”) containing preinstalled shady/malicious apps are starting to appear more and more on the online marketplace. Sellers can easily re-image an Android device with a custom ROM which replaces the default operating system—typically stored in read-only memory. Sellers then turn around and sell these devices for cheap online.
Just like when installing apps, it’s important to buy your mobile device from trusted sources. Avoid buying devices online from untrusted sellers/stores; even if the price is hard to pass up.
Disabling YeMobi and other preinstalled apps
In order to keep essential operating system apps from being removed on Android devices, you cannot uninstall preinstalled apps. However, you can disable some preinstalled apps—like Adware YeMobi. Simply go into settings > apps, find the YeMobi app, open its settings, and disable it via the Disable button.
Finding preinstalled malware on your device can be tricky—a mobile scanner can assist with finding them for you. Malwarebytes Anti-Malware Mobile detects Adware YeMobi along with other preinstalled malware and can be found for FREE on Google Play.
As always, stay safe out there!
The post Mobile Menace Monday: Preinstalled adware and sometimes worse appeared first on Malwarebytes Labs.