There's a way to remove the ransom message when infected

Sep 7, 2015 23:09 GMT  ·  By

An Android app called Adult Player is being used to serve ransomware to users seeking to view online pornography from their mobile devices.

While these types of applications have been used in the past to deliver malware, Zscaler security researchers have discovered a new Android pornographic app that comes with a twist, secretly taking the user's picture and then using it inside the ransom message.

The app sneakily asks for admin rights

As the Zscaler team is describing, after installing the Adult Player application on their phones, when opening it for the first time, users are prompted with a message asking them to grant the application admin rights so it can perform an update to one of its modules that monitors screen-unlock attempts.

If users, unaware that this kind of behavior is usually a sign of malware activity, grant the application admin rights, they'll be greeted by a white screen for several seconds while the application performs its "fake" update.

Unknown to victims is that, during this time, the Adult Player application is actually loading another APK file where the malware code is hosted, which secretly snaps a photo using the front-facing camera.

The photo along with other phone details are then sent to the malware's C&C server, accessible via four domains hard coded in the app's code (trustedsecurityav.net, protectforavno.net, directavsecurity.com, and avsecurityorbit.com).

The C&C server will then assemble a custom ransom page, which it will then send back to the phone.

How sweet, a ransom message customized with your own face

Once the ransom page is received by the user's phone, the "fake" update message is removed, and the ransom is shown with the user's photo at the center of the screen.

The user is asked to pay a $500 / €450 ransom to have his phone unlocked and files decrypted. To make the ransom more credible, details like the user's IP, country, or mobile carrier are also shown.

Because this malware is boot persistent and always keeps the screen active and frozen with the ransom message, unless the user pays up, he won't be able to use his phone.

As Zscaler researchers point out, the only way to remove this ransomware from your phone is to boot in safe mode, deactivating the app from Settings --> Security --> Device Administrator, and then uninstalling it from Settings --> Apps --> Uninstall.

The app sneakily asks for admin rights
The app sneakily asks for admin rights

Adult Player ransomware (4 Images)

Adult Player Android app spreads ransomware
The app sneakily asks for admin rightsOnce infected, the user is greeted by a ransom message
+1more