Android malware disguised as porn apps has emerged. It’s causing growing concern amongst analysts who perceive this launch to be a trial run for a wide-spread future campaign.
Once a device is infected, the user appears to be locked out. If the malware attains Device Administrator privileges, then the user has to reset the device to get rid of the infection. This is the warning issued by Dell SonicWall Threats Research Team who discovered the proto-malware on Thursday. They describe the yet-to-be-named malware as a lockscreen variant which is ‘immature’ but could possibly become a virulent problem.
Alex Dubrovsky, head of the team explained, “We have found over a 100 different apps that contain this malware and suspect that the authors behind the apps are gearing up for a much larger more deadly assault,“.
Other mobile lockscreen malware such as Cyber.Police demands a ransom, whereas this doesn’t. Yet. Being closely associated with porn sites, users are infected by being encouraged to download apps on that theme via SMS or links (to third-party Android app stores). Once the app is downloaded, it goes about requesting privileges.
If the application is clicked on, or System Settings is opened, a lockscreen/ransome message appears. SonicWall say that this can be navigated around by clicking Recent Apps or Home. So – the attack is not demanding ransom; it does not effectively lock or control the device; it does not communicate with a backend server – so what does it do?
Dubrovsky explains, “… once the application starts running, encoded data is transmitted to multiple domains in the background,”. The team say that data being sent could be personal, though until further tests are done they cannot be sure. The current theory is that hackers are making real-time adjustments to the malware. This bears out the development theory, “Many of the obvious features you’d expect with malware are just not feature complete“, says Dubrovsky.
This lockscreen infestation is difficult to remove. If it achieves Admin status it hides the Uninstall button. Neither can the user run in Safe Mode to delete the malware – it starts to block System Settings to prevent deletion. So, if infected and you don’t have a developer’s tool called an Android Debug Bridge, the non-tech option is to reset the device.
“Overall it looks like this campaign is in its early days as the lockscreen does not work as expected and it is easy to come out of the ‘lock’ state,” was the conclusion from the lab. They went on to say that due to the number of apps associated with this malware, they expect a functioning launch soon, perhaps including non-adult themed platforms for wider exposure.
