“A new mobile ransomware variant uses a clever new technique to push affected users to pay the asked-for ransom: it takes a photo of the user with the phone’s front-facing camera, and inserts that photo in the ransom message.
The malware, posing as a porn app dubbed “Adult Player”, lurks on third party app markets. When a user downloads and installs it (and gives it admin rights), the app shows a screen that says that an update is in progress.
What is really happening is that Adult Finder downloads another APK, which takes the picture of the user, collects information about the device, and sends it to one of its C&C servers whose domains are hard-coded in the app.
The server returns a personalized ransom message to the app, which then shows it to the user, while simultaneously locking the phone. There is no picture in this message because the researchers made sure the app couldn’t take one while they were testing it out:
As you can see, the message contains some information about the device, its (and the user’s) IP address, and tries to make the victim think that the FBI is somehow involved.
The victim is asked to pay a $500 ransom via PayPal in order for the device to be unblocked.
Fortunately, users can do so themselves, by booting their device into safe mode (the process is different for various devices), revoking the app’s admin privileges (Settings > Security > Device Administrator > Select the app and deactivate it), and then uninstalling it (Settings > Apps > Uninstall the app).
Ransomware and crypto malware, such as that imposed by pornographic app Adult Player, is rising at an alarming rate. Intel Securitys most recent Threats Report uncovered that ransomware shot up 127% in the past year alone, commented Raj Samani, CTO EMEA Intel Security.
In fact, Zscaler researchers have spotted additional apps belonging to this ransomware family and exhibiting similar functionality.
“We are increasingly seeing hackers blackmailing online users with their most private and sensitive information, or even photos,” noted Samani. “Thanks to the pseudo-anonymity provided by digital currencies such as Bitcoin, hackers can simply buy the skills required to launch an attack online and accept ransom payment through the same technology. This makes ransomware and crypto malware a lucrative enterprise for online criminals with successful attackers raking in tens of thousands worth of Bitcoin in matter of weeks. “