Android.Locker/Dogspectus

28th December 2016

Software engineer Darren Cauthon tweeted about how: ‘Family member’s tv is bricked by Android malware. #lg wont disclose factory reset. Avoid these “smart tvs” like the plague.’

To put this into some perspective, this isn’t a recent model: he explains that ‘It was one of the first google tvs.’ (Google TV is no longer supported, and LG smart TVs now run on WebOS, apparently. However, Google is said to be working on another Android-based platform.)

Catalin Cimpanu reports for Bleeping Computer that ‘Cauthon says he tried to reset the TV to factory settings, but the reset procedure available online didn’t work.’ When contacted, it seems that LG suggested that an engineer could reset the TV at a cost of $340. Cimpanu suggests that the malware is probably FLocker (a.k.a. Dogspectus).

Commentary by David Bisson for MetaCompliance here.

[21st May 2016]

Fortinet makes a similar connection between Bluecoat’s article and SonicWALL’s (see below) and offers its own Dogspectus analysis.

[Added 18th May 2016]

SonicWALL warns of an embryonic screenlocker that it expects to see more of in the future. Commentary by Kaspersky – MALWARE-LACED PORN APPS BEHIND WAVE OF ANDROID LOCKSCREEN ATTACKS – and The Register: Smut apps infecting Androids with long-gestation nasties – Is that a KitKat in your pocket or are you just trying to p0wn me?

[26th April 2016] Help Net flagged an interesting instance of an exploit kit delivering Android.Locker ransomware to Android users – Exploit kit targets Android devices, delivers ransomware.

Bluecoat researchers happened across the ransomware – Towelroot and Leaked Hacking Team Exploits Used to Deliver “Dogspectus” Ransomware to Android Devices – when

…a test Android device in a lab environment was hit with the ransomware when an advertisement containing hostile Javascript loaded from a Web page.

Like some older ransomware, the self-labelled Cyber.Police doesn’t encrypt files: it simply locks the device, and demands that the victims pay a $200 fine in the form of two $100 iTunes gift cards. Bizarre, considering that the malware claims to represent an ‘American national security agency’ in true ‘FBI/Police virus’ fashion, though it’s hard to imagine that any of its victims believe it to be official. (However, there are plenty of places you can resell or exchange gift cards for something other than music.) Bluecoat calls it Dogspectus (presumably connected with the malware’s internal name net.prospectus?) but other companies name it as a variant of the Android.Locker family.

While VirusTotal isn’t really intended or usable as a cast-iron way to track the security industry’s response to a threat, it may be worth noting that while quite a few companies detect the .apk, detection for the Towelroot exploit executable is much sparser.

Further commentary:

[Added 25th May 2016]

For Malwarebytes, Chris Boyd reports on the Cyber.Police Android ransomware posing as an ‘Adult Player”, and its ludicrous claim that the victim can pay a ‘Treasury’ fine with iTunes gift cards. Who’d have thought that law enforcement were such dedicated music lovers?