PORN APPS BEHIND WAVE OF ANDROID LOCKSCREEN ATTACKS

Infection Cycle 

Upon installation the app requests for Device Administrator privileges. On clicking the application or opening the System Settings app we see a screen as shown in the figure below. This screen appears to be the ransom/lockscreen but the user can easily come out of this view by clicking the Home or Recent Apps buttons. 

Traditionally lockscreens cover the entire screen of the device and "lock" the users in a position where the device becomes unusable as the users cannot come out of the lockscreen view. In this campaign, at the moment the victim cannot view contents of the System Settings as the lockscreen is shown. It is interesting to note that there is no demand for ransom of any kind, also the fact that the victim can come out of this view gives an indication that this mechanism might not be completely implemented. 

Once the application starts running, encoded data is transmitted to multiple domains in the background. The encoding routine is present in each application that is part of this campaign: 

We observed data being sent to the following domains:

routstreetcars.com

highlevelzend.com

girlszendarno.com

artflowerstreet.net

raspberryfog.net