Incidents of Android lockscreen malware masquerading as porn apps are a growing concern to security analysts who are forecasting an uptick in attacks. Once infected, Android users bitten by this malware appear to be locked out of their device and are forced to undergo a complex extraction of the app to win back control of their phone or tablet.
The warning comes from Dell SonicWALL Threats Research Team that said this yet-to-be-named variant of lockscreen malware is immature, but potent.
“We have found over a 100 different apps that contain this malware and suspect that the authors behind the apps are gearing up for a much larger more deadly assault,” said Alex Dubrovsky, director of software engineering and threat research at Dell.
Unlike other lockscreen malware such as ICE, Jisut and Cyber.Police that locks the user’s screen and asks them to pay a ransom, the lockscreen malware that Dell found does not appear to be financially motivated, yet.
The malware is closely tied to porn websites. Users are enticed to download porn-themed apps via links or SMS message requests that link users to third-party Android app stores. Once a target downloads the advertised malicious porn app, it requests for Device Administrator privileges.
When users click the application or open the System Settings app a screen, what appears to be the ransom or lockscreen message appears. But that lockscreen can be easily circumvented by clicking the Home or Recent Apps buttons, according to a SonicWALL team research blog about the discovery posted Thursday.
At this time, Dubrovsky said, attackers are not employing a command and control backend to manipulate the device. Neither are attackers executing remote code or taking control over a user’s Android device. However, “once the application starts running, encoded data is transmitted to multiple domains in the background,” SonicWALL reports.
Dubrovsky said his team is still dissecting the malware and at this time he suspects that data transmitted from the phone could possibly be personal in nature, but couldn’t be sure. “This is clearly beta software that attackers are refining in real time. Many of the obvious features you’d expect with malware are just not feature complete.”
One thing is certain about this strain of lockscreen malware is it is hard to remove. “If an Android device gets infected with a malware with Device Administrator privileges it becomes difficult to remove it as the uninstall button gets greyed out,” write Dell’s SonicWALL security team.
Dell said that the obvious solution of running your Android device in Safe Mode to remove app doesn’t work in this instance. Once in Safe Mode the malicious app starts blocking the System Settings after a few moments making it impossible to uninstall. The alternative is to disable the running app via Android Debug Bridge, a software developer’s tool. The other option for non-technical users is simply, reset your Android device.
“Overall it looks like this campaign is in its early days as the lockscreen does not work as expected and it is easy to come out of the ‘lock’ state,” Dell wrote. “Considering the volume of malicious apps that are part of this campaign it can be said that this campaign might grow bigger in the near future with updated components.”
Dubrovsky said his researchers are bracing for more mature variants of this lockscreen malware that will be much more technically adept at demanding a ransom in some form from mobile porn surfers and apps that have a broader non-adult themed appeal.