Android ransomware lures with porno, takes your picture and then ‘fines’ you
Mon 7 Sep 2015
Researchers at zScaler have identified a new strain of Android-based ransomware that activates your phone’s camera in order to incorporate your own picture into its blackmail note.
Adult Player’s icon in an array of Android apps
The report outlines the behaviour and methods of ‘Adult Player’, which boasts a fulsome icon promising access to pornographic content, but which upon installation immediately locks the user’s screen, engages the camera’s phone to take a picture of the victim, and then pastes it into a bogus FBI notice which demands a ‘fine’ of $500.
Even in a culture of end-users happily clicking away rights and privacy in exchange for ‘cool’ or useful apps, Adult Player’s TOS would probably stop most users who had any blood supply left in their cranial region. Upon installation the ransomware demands the right to:
Monitor screen-unlock attempts
Monitor the number of incorrect passwords typed, when unlocking the screen, and lock the phone or erase all the phone’s data if too many incorrect passwords are typed.
Upon user acceptance the process loads another Android application package (APK) called test.apk via a reflection attack, during which a malicious process can evade a challenge-response authentication by bi-lateral use of the same authentication protocol (the two malign processes, one of which has already been ‘okayed’ by the user, authenticate each other).
Most of the rest of the work of Adult Player is then handled by test.apk, which loads these hard-coded domains into memory and contacts them:
hxxp://directavsecurity[.]com
hxxp://avsecurityorbit[.]com
hxxp://protectforavno[.]net
hxxp://trustedsecurityav[.]net
Thereafter Adult Player sends a slew of user information to the C&C servers, including model, manufacturer, motherboard and branding, before receiving back a customised ransom notice which contains the user’s face, as taken earlier in the process if the smartphone was found to have a front-facing camera.
Fine’ demand of Adult Player android app. The victim’s face is normally in the above section (we winged it).
Who would have thought the FBI took PayPal?
There seems to be no particular purpose to the taking and usage of a victim-snap, except for extra intimidation and to ‘personalise’ the response, as if to make the victim aware that he (and let’s face it, the victim is almost certainly male) has been specifically individuated for this treatment rather than just made witness to a passive malware script.
The ransom screen survives the reboot process and prevents the user operating the device, activating so early in the boot process as to make interception impossible. However zScaler provide advice on removing Adult Player, which involves booting the phone into safe mode on default settings, removing administrator privilege from the installed app and then deactivating. This done, the app can be uninstalled.
Though the article makes no comment on it, the use of a PayPal over a Bitcoin or other cryptocurrency account combines with the prurient nature of the app and the relative ease with which it can be removed (once you know how) to suggest a certain enthusiastic but inexperienced youthful spirit behind the initiative.
