Android Ransomware Hidden Behind Fake Pornography App

Image Credit: Android Pit

Android is one of the most vulnerable OS in the world — If you are an Android user you need to be careful with downloading apps.

Several malicious mobile apps have been surfaced on the Internet, which is a ransomware variant that takes advantage of offering pornography as a bait for targeted victims into downloading and installing these apps on their mobile phones, and these malicious ransomware apps are targeted towards Android user base.

Hackers Develop Android Malware Every 17 Seconds

Image Credit: Android Pit

According to the research conducted by security experts over at US-based security firm Zscaler, once the malicious app has been installed onto the victim’s mobile, it covertly takes pictures of the victim using the front-facing camera and then completely locks the device by displaying a message demanding ransom of over $500.

It has been observed that cyber crimes based on ransomware malware is becoming a profitable zone for cybercriminals and hackers. Earlier last month, Yahoo advertisement network was hacked and exploited by cybercriminals to serve ransomware advertisements to the users, putting millions of devices vulnerable.

On the right side, you can see the permission this app asks for

One of the disclosed names of the malicious app is “Adult Player” which targets the victim by enticing them into assuming that this is a pornographic video player. But once the app has been successfully installed onto the victim’s device, the app silently takes picture of the victim; records the IP address and other details of the mobile phone, and then displays those details along with the ransom message embedded with the picture on the mobile phone’s screen.

What Happens At The Backend

After successful installation of the malicious pornography app, it stimulates a message onto the screen asking for administration rights to ‘monitor screen unlocking attempts’. Once ‘Activate’ button is pressed and the rights have been granted, the app presents a bogus white colored update page, but nothing really happens in reality.

The malware then initiates installation of another malicious app from a local storage using a reflection attack at the location,


What reflection attacks actually do is the examination and modification of the object’s activities at run time instead of compile time. The use of this attack has not been revealed yet, but according to the experts in this field, apparently the reflection attack was conducted in an attempt to evade any possibility of source’s detection.

At this point, the original ransomware app performs a check whether front-facing camera exists on the targeted device or not. Once confirmed, the app then takes a picture of the victim, which will then be used on the personalized ransom message screen.

Then the rest of the mischievous activities are performed by the second malicious app, which automatically connects to various domains hard coded into the app including,

Directavsecurity  com, avsecurityorbit  com, protectforavno  net, trustedsecurityav  net.

Once connected, the malicious app transmits all the accessible information including device’s model number, brand, operating system and other details to the remote servers.

All the transmitted information are then processed by the servers and then reverts with a customized multi-encoded response, which then locks the device and displays the ransom message.

Furthermore, this ransom message has been specifically designed and already has all the required rights to remain on the device’s display screen even during the boot, leaving the victim with zero possibility to use their device. Not even allow the victim to uninstall it.

How To Get Rid Of Pornography Malicious App

If your device has been infected and taken over by malicious pornography app then you can follow the simple steps outlined by the researchers to uninstall the ransomware app from Android device:

Step #1 – Boot your device into Safe Mode.

Step #2 – Once booted, you need to revoke administrator privileges given to the malicious app by navigating to Settings > Security > Device Administration. There you have to find and select the suspected ransomware app and then select ‘Deactivate.

Step #3 – Now navigate to Settings > Apps. From here, you can select the malicious ransomware app and then uninstall it.

Step #4 – Restart your device to boot into the normal mode.

Now you should have got rid of that ransomware message and your device must be reusable again.

In past, a spoofed copy of the popular app named as “BatteryBot Pro” requested unnecessary permissions from the user during installation in an attempt to get full control over the user’s Android device, a researcher found out. However, it was detected and deleted from the app store.

Suggest ideas, report typos and corrections to [email protected] 


Related Posts