Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

More Adult Themed Android Ransomware

image
SHIVANG DESAI
September 03, 2015 - 4 min read
During the course of our daily malware hunt, we came across a new mobile ransomware variant that leverages pornography to lure victims into downloading and installing it. We'd previously blogged about similar Android malware.

App Name: Adult Player
URLhxxp://accanalasti247[.]topliberatone[.]pw/video_player.php?s=Zomhj9PlVZc=&name=Mp4TubePlayer_v5.562.apk&type=1&tpl=1&l=EN
MD5: 6ed2451d1300ff75e793744bb3563638
Package Name: content.mercenary.chiffon

Overview:
This ransomware acts as a porn app named "Adult Player" and lures victims who assume it is a pornographic video player. When the victim starts using it, the app silently takes a photo of the victim, which is then displayed on the ransomware screen, along with the ransom message. The app demands a ransom of 500 USD.
 
Image
Icon
Admin Activation:
Upon opening the app, it asks for admin rights as shown below :
Image
Admin privilege
After clicking "Activate", the app shows a fake update page but nothing really happens in terms of an update.
 
Image
Fake update page
 
The malware then loads another APK named test.apk from it's local storage using a technique referred to as a reflection attack - /data/data/content.mercenary.chiffon/app_dex/test.apk.
 
Reflection is the ability of a program to examine and modify the behavior of an object at run time, instead of compile time.
 
Image
APK stored in app's local storage
The specific reason for using reflection remains unknown but one reason could be to evade static analysis and detection.
 
Image
Loading Test.apk

Personalized Ransom Screen:
The ransomware checks whether front camera is available or not. If available, it clicks photo of the victim while he/she is using the app and displays the image on ransom page.
 
Image
Camera check
The majority of the malicious activities are then conducted by the newly loaded test.apk. The malware connects to the following hard-coded domains contained in the app:
  • hxxp://directavsecurity[.]com
  • hxxp://avsecurityorbit[.]com
  • hxxp://protectforavno[.]net
  • hxxp://trustedsecurityav[.]net
Image
Hard-coded Domains
The malware then sends following details that includes victim's mobile device and operating system information to the remote server:
Image
Data sent in requests

Ultimately, the malware receives a custom ransom page upon run time in a multi-encoded response from the aforementioned servers.
 
Image
Decoded Ransom Message
Once the response is received, the ransomware locks the phone and displays the following ransom screen.
Image
Ransom Page 1 (User Image Displayed Here)
 
Image
Ransom Page 2
 
The ransom screen is designed to stay persistent even at reboot. It does not allow the user to operate the device and keeps the screen active with ransom message.

Image
Broadcast Receiver acting on particular events

Image
Preventing device from sleeping

More variants:
We also encountered additional apps belonging to this ransomware family and exhibiting similar functionality.

Sample MD5s:
 
  • ecd8c9eeae86c0d7d3c433e887fd5d3a
  • b544785176ed8152671bac94a18ca9d0
  • 9c731690985ce7c13ca9b25b9139d6a3


Mitigation:
The ransomware is designed to stay stagnant on screen and does not allow the the victim to uninstall it. Rebooting the device does not work in such cases as ransomware app becomes active immediately after reboot, which leaves no scope for the victim to get into device "settings" and uninstall the ransomware.

In such scenarios, it can be removed by using the following steps:
 
  1. Boot device into safe mode (Please note that entering "safe mode" varies depending on your device). Safe mode boots the device with default settings without running third party apps.
  2. Uninstalling ransomware from device requires you to first remove administrator privilege. To do the same, go to Settings --> Security --> Device Administrator and select ransomware app, then deactivate.
  3. Once this is done, you can go to Settings --> Apps --> Uninstall ransomware app.

Prevention:
To avoid being victim of such ransomware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device.
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.