Android porn app snaps pic of user, locks it on home screen with $500 ransom demand

Some unlucky individuals thought they had downloaded the Android app Adult Player to watch porn videos, but the app silently takes a photo of users while they use the app and then displays the image on the home screen, along with a ransom note demanding $500.

Researchers from Zscaler’s ThreatLab first discovered the “new mobile ransomware variant that leverages pornography to lure victims into downloading and installing it.” Perhaps the desire for viewing porn is stronger than common sense, as the permissions asked to be activated as device admin. It asks for the right to monitor screen-unlock attempts and to “lock the phone or erase all the phone’s data if too many incorrect passwords are typed.”

Users who go ahead and tap “activate” then believe the app is updating, but it really loads a fake update page while the malware activates in the app. Zscaler explained, “The malware then loads another APK named test.apk from its local storage using a technique referred to as a reflection attack. Reflection is the ability of a program to examine and modify the behavior of an object at run time, instead of compile time.” The reason for using reflection is not known, but could be an attempt to “evade static analysis and detection.”

When a victim first starts using the app, the mobile ransomware checks for a front-facing camera and then uses it to secretly snap their photo. “The malware sends details on the victim’s mobile device and operating system to the remote server.” The phone then locks with a victim’s photo and a ransom message demanding $500 on the home screen. Rebooting doesn’t clear it, as the ransom screen is designed to stay persistent. A victim can’t even try to uninstall it, as “it does not allow the user to operate the device and keeps the screen active with the ransom message.”

There may be multiple reasons to change the security settings to allow downloading Android apps from “unknown sources,” such as to score on Amazon Underground’s $10,000 worth of free Android apps, but one of the most common reasons is for viewing porn. Zscaler advises not to allow apps from unknown sources.

Not only is the victim’s phone locked with a ransom demand, but it also leverages an additional scare tactic by claiming the FBI is accusing him of a crime. Maybe a user would be so freaked out that he wouldn’t notice the fake FBI warning mentions a PC and not a phone.

Zscaler showed a portion of the final decoded ransom demand.

FBI. ATTENTION! Your device has been blocked up for safety reasons listed below. All the actions performed on this PC are fixed. All your files are encrypted. You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophilia/rape etc). You have violated World Declaration on non-proliferation of child pornography. You are accused of committing the crime envisaged by…

Interestingly, Zscaler reported finding another mobile porn ransomware app in May. Porn Droid Android ransomware relied heavily on scaring victims into paying the demand by claiming it came from the FBI. The FBI warning screen also contained “dynamic information relevant to the infected device such as the browser history, IMEI number, phone number and victim’s picture, which has been taken by the malicious app.” Even the ransom payment tab had an FBI header.

Zscaler director of security research Deepen Desai confirmed that the Adult Player ransomware could have originated from the same authors behind Porn Droid.

How to remove Adult Player ransomware

Although Adult Player ransomware “is designed to stay stagnant on screen and does not allow the victim to uninstall it,” Zscaler detailed mitigations for the malicious porn ransomware app.

Rebooting the device does not work in such cases as [the] ransomware app becomes active immediately after reboot, which leaves no scope for the victim to get into device “settings” and uninstall the ransomware.

In such scenarios, it can be removed by using the following steps:

1. Boot device into safe mode (Please note that entering “safe mode” varies depending on your device). Safe mode boots the device with default settings without running third-party apps.

2. Uninstalling ransomware from device requires you to first remove administrator privilege. To do the same, go to Settings –> Security –> Device Administrator and select ransomware app, then deactivate.

3. Once this is done, you can go to Settings –> Apps –> Uninstall ransomware app.