Trend Micro warns of new kind of porn ransomware for Android
Trend Micro reports ransomware that lures users to porn websites via fake text messages and persuades them to download a video file. The ransomware locks the screen and blackmails the user by threatening to report viewing child pornography.
To bolster the threat, the ransomware activates the smartphone’s camera and takes a photo of the user. The app then blackmails the user with the message that the social network and authorities will be informed that the user has been viewing child pornography. The texts of the app are all in Russian.
The ransomware has been given the name androidos_slocker.axbb by Trend Micro and, according to the company, should ring alarm bells several times among users during installation. Still, Trend Micro has already detected the malware in 11 countries, with most infections occurring in Russia. It is not clear in which other countries the ransomware has been detected. According to Trend Micro, it is probably only a matter of time before the new type of ransomware makes its way into other languages. Since the discovery of the ransomware on March 23, Trend Micro has identified 3400 infections.
To get the malware, the user has to go through quite a few steps. First, the user gets a text message with a link to a fake porn website. Then the user clicks on a video link on the porn website and instead of a video, the user downloads an Android app with .mp4.apk in the name. After installing the app, the user has to click on an icon to activate the app. Then the app asks if it can install the video and asks for admin rights. The accompanying text is in Russian.
After a reboot, the lock screen appears, stating in Russian that the phone is locked and that all personal data has been sent to a server of the criminals and that the video that was previously made has also been uploaded. The reason for the lock is alleged that the user viewed prohibited Internet resources, including child pornography, rape, incest, bestiality and gay porn content.
To unlock the phone, 1000 rubles, about 13 euros, must be transferred. All locked data would then be deleted from the criminals’ servers within eight hours. If the user does not transfer the money within 12 hours, the criminals threaten to forward the allegations to all contacts in the phone and to the authorities.
According to Trend Micro, scaring by threatening authorities is a well-known form of extortion. Trend Micro also reports that it is not possible for the attackers to obtain the allegedly locked data from a locked phone.
There is a bright spot for people with a so-called non-native Android phone. On mobile phones that run on an Android version that has been modified by a manufacturer, the ransomware can in some cases be circumvented by, for example, depriving admin rights via a reboot and then removing the app. The ransomware is also reminiscent of the ‘police virus’ from 2011.