The trend of using adult-themed Android apps to deliver malware is ramping up, as Zscaler security researchers are warning about two new such threats that have recently appeared on the market, both with low detection rates on virus scanning systems like VirusTotal.
Zscaler previously uncovered two similar threats using pornography-themed apps that infected users with ransomware. One of them changed the device’s lock PIN with a random number while the other intimidated victims by taking their picture and using it inside the ransom note.
These two newer threats are less dangerous, being only a simple SMS trojan and an information stealer, but both can cause major damage in the hands of a skilled malicious actor. Both threats rely on users installing apps from unofficial app stores.
An SMS-sending trojan
The first of them is an app that disguises itself as a video player for adult movies (com.uryioen.lkhgonsd) but secretly installs a trojan.
This trojan collects information about the device, sends it to a remote C&C server, and waits to receive a telephone number and the content it needs to send to that number as an SMS.
These are affiliate and marketing campaigns, where hackers get rewarded based on the number of SMS messages sent to that particular number.
While the trojan does not steal personal data, like contacts and photos, infected users can suffer serious financial losses.
The infostealer that masquerades as ransomware
The second new threat Zscaler researchers detected is an information stealer that uses scareware tactics and a fake ransomware message. This new virus hides as a video player for adult content (com.gi.to), but when opened, it shows a ransom message overlaid on the entire screen.
While most ransomware messages are shown as coming from a law enforcement agency to intimidate victims, the authors of this particular virus did not know what they were doing. The ransom message they show is branded as coming from ICS-CERT (Industrial Control Systems – Cyber Emergency Response Team), an authority that deals with security vulnerabilities in industrial systems.
The message can be removed with ease, and Zscaler reports that while the user is busy removing the annoying interstitial, the virus works its magic and steals their contacts list and SMS messages, uploading them to a remote server.