Enter Adult Player. A malicious app that lures users to think that is an innocent-- i mean, simple pornographic video player app.
 |
| Come on. Who'd think that that's malware? |
However, the malware will load another APK, test.apk, from its local storage using a reflection attack technique -- a technique used to examine and modify the behavior of an object at run time instead of compile time. The technique used may also evade static analysis and detection.
The malware will then check if the infected device has an available front camera. If there is an available front cam, the malware secretly takes a photo of the user while they are using the app then displays the picture on a customized ransom page.
"R-ransom?!", you say? Oh, yes. This app is actually a Ransomware.
Almost all of the app's malicious activities will be conducted by a newly loaded test.apk. The malware connects to a bunch of hard-coded domains contained within the app. It will also send the infected device's device information(model, manufacturer, board, brand, device, hardware and product), SDK version and SDK relesease to a remote server. The malware will then receive a custom ransom page upon run time in a multi-encoded response from the said domains.
Once the response is received, the ransomware will lock the user's device and displays the custom ransom page with the user's picture.
 |
| sample custom ransom page 1 |
 |
| sample custom ransom page 2 |
The ransom page was designed to load even if the infected device is rebooted. It will not allow the user to operate their device and will keep the screen active with the ransom message.
Article Refs: http://research.zscaler.com/2015/09/more-adult-themed-android-ransomware.html and http://news.softpedia.com/news/android-pornography-app-takes-pictures-of-users-and-blackmails-them-for-cash-491128.shtml
No comments:
Post a Comment