AdultPlayer Android Porn App Blackmails Users With Secret Selfies

A new mobile malware app called “Adult Player” is proving a textbook example of a growing new category of malicious software in the mobile space: ransomware.  The app has been detailed in a new threat analysis by Zscaler, a security-as-a-service (SecAAS) provider.

The “Adult Player” app lures in its victims with a sexually charged icon.  Not found on Google Inc.’s (GOOG) Play marketplace, the app is being distributed via less reputable third party app stores.  It’s important to note that such third party app stores must be explicitly enabled in Android by the user.  However, given the presence of some fairly reputable third party stores, e.g. the Amazon.com, Inc. (AMZN) Android app store, this isn’t that rare for Android users to have done.

Adult Player is seen here installed on an Android device. [Image Source: Zscaler]
Once installed the app requests a new set of permissions upon device open — remote administrative rights.  Interestingly, this impacts even users of non-jailbroken devices as it’s effectively the perversion of a legitimate feature, the Device Administration API.  This API is legitimately used as the basis of most mobile device management (MDM) solutions.

The app exploits MDM rights for its ill purposes. [Image Source: Zscaler]
The app also appears to have access to the device cameras, although it’s unclear from the Zscaler post when exactly those rights are approved.  Presumably they’re part of the list of permissions the user approves when the app is first installed, prior to the request for additional MDM rights.

Once the user opens the app it checks for a front-facing camera (FFC).  If one is found, it takes a selfie of the user.  Considering the app’s content it seemingly stands a decent shot at taking a pretty provocative shot.

If the user foolishly approves Adult Player’s request for administrative rights, the app locks the users device displaying a fake administration screen.  It then employs reflection to disguise its true intent, loading a secondary package named “test.pkg”.  This package proceeeds to connect to one of four URLs, which then display a ransom demand, customized with some basic information collected from the user device and with the help of the unauthorized snapped selfie (if applicable).
 

The malware connects to remoted webpages to build its ransom note. [Image Source: Zscaler]
Once the ransom page is loaded to the lockscreen, the device is rendered unable to be unlocked.  Victims find that even if they reboot their device they will be unable to escape the lockscreen ransom note.  Sample ransom pages collected by Zscaler showed a typical “fine” demand of $500 USD to unlock the victim’s device.

Example ransom pages generated by the malicious app are seen here. [Image Source: Zscaler]
Ultimately, the only way to break the grip of this clearly malicious package is to boot into safe mode and remove the administrative rights which were unwisely granted to it by the device owner.  At that point the package can be uninstalled by standard means upon reboot.

While Android has suffered the bulk of the recent spate of mobile malware, as with traditional PC operating systems, most malicious apps can be avoided by exercising some basic common sense.  That said, a growing number of less savvy users on both Android and Apple, Inc.’s (AAPL) iOS have found themselves exposed to malicious applications.

Particularly at risk are those who jailbreak/root their device without understandng the potential security rammification of doing so.  That said, as mobile malware, scamware, etc. increase in volume and sophistication having a locked device is no longer a sufficient security solution on popular mobile platforms.  As always, users must be careful whom they grant trust to, lest they find their device held ransom or otherwise impacted by malicious parties.