During our continued efforts to protect its customers against the latest mobile threats, Zscaler, a Security Research and Analysis company, came across another malicious app that used pornography to attract users. Noting that 1 in 5 mobile searches are related to porn, it’s no surprise that hackers continue to create fake porn apps to disguise malware. The researchers analyzed another similar adult themed malware in November last year.
The app is a Chinese-application that needs to be downloaded if you want to view the adult content on a website. The app also downloads three other apps, which are malicious and steal user data in the background.
Overview:
The application in question is presented as a porn player. When the user clicks on the application icon, he or she will be presented with thumbnails to many porn videos. When the user tries to play one of these videos, the application will download 3 files in the background and a shortcut will be placed on the main page of the device. The application also requests on-demand videos via SMS - costing the user money without them knowing. The 3 dropped files are also depicted as porn players. When the user clicks on videos shown in these applications, they again drop more files to the device - resulting in a never-ending process. Some of these dropped files have icons that look similar to the Internet Explorer and Angry Birds applications for the sole purpose of scamming the user. However, these dropped applications are actually SMS stealers or fake installers. Upon launching the application, you will be able to see a list of obscene videos.
When you click on any of those videos, instead of playing them the malware drops 3 additional porn applications on the device. These files also take the form of porn players, but are actually SMS stealers. When the user tries to launch one of these applications, it again results in dropping of more files into the device, which continues a never-ending chain. Two of the dropped applications have icons similar to Internet Explorer in order to scam the users into using the application. The application uses the concept of pending intents, which allows another application to use your application's permissions to execute a predefined piece of code. The application also scams the user with premium on-demand videos, which are requested via SMS without the knowledge of users. This application leverages the commonly known 1npay to scam the victims. The application sends out a POST request, in which the method of payment is specified via SMS. The application also sends device related information back to the servers.
Removal:
Since the malware does not ask for Administrator privileges, removing it is not a difficult task. The victim can traverse to Settings option in the Android device. Head to Settings --> Apps, then find the app in the list and click on it. Then, click on Uninstall option. Click Ok. Done.
Users should not trust any unknown links received via messages or emails. Additionally, disable the option of "Unknown Sources" under Settings of your device. This will not allow installation of apps from unknown sources.
