A mobile porn app, dubbed “Adult Player,” is on the hunt for ransomware victims.
The app targets users by silently taking photos of them as they use the app. Eventually, the images are displayed on-screen, along with a ransom message demanding payment of $500 USD.
The app is for Android, and is available from non-Google Play sources. Security firm Zscaler discovered that once the Adult Player is installed on the user’s device, it shows a fake update that activates the malware in the app.
The malware also loads another APK, named test.apk, from its local storage. It uses a technique referred to as a reflection attack; after this, the phone is in the hands of the ransomware variant.
The malware also sends details on the victim's mobile device and operating system to the remote server.
The ransomware is designed to stay stagnant on screen and does not allow the victim to uninstall it. Rebooting the device doesn’t work either, because the ransomware app becomes active immediately after reboot, which leaves no scope for the victim to get into device "settings" and uninstall the ransomware.
However, it can be removed by booting the device into safe mode, which starts the device with default settings without running third-party apps; Zscaler noted the steps in its analysis.