08 September 2015

Pin It

Android App takes photo of user and demands 500 $ ransom

Android App takes photo of user and demands 500 $ ransom
Technology blog ZScaler reported that they have found another Android App Adult player app which offers to adult images, videos to user but its main purpose is to blackmail the user.

Adult player mobile ransomware variant that leverages pornography to lure victims into downloading and installing it.

Info about adult player app -

App Name: Adult Player

URL -
hxxp://accanalasti247[.]topliberatone[.]pw/video_player.php?s=Zomhj9PlVZc=&name=Mp4TubePlayer_v5.562.apk&type=1&tpl=1&l=EN

MD5: 6ed2451d1300ff75e793744bb3563638
Package Name: content.mercenary.chiffon

This ransomware acts as a porn app named "Adult Player" and lures victims who assume it is a pornographic video player. When the victim starts using it, the app silently takes a photo of the victim, which is then displayed on the ransomware screen, along with the ransom message. The app demands a ransom of 500 USD.

The ransom screen is designed to stay persistent even at reboot. It does not allow the user to operate the device and keeps the screen active with ransom message.

The ransomware is designed to stay stagnant on screen and does not allow the the victim to uninstall it. Rebooting the device does not work in such cases as ransomware app becomes active immediately after reboot, which leaves no scope for the victim to get into device "settings" and uninstall the ransomware.

Admin Activation:
Upon opening the app, it asks for admin rights
After clicking "Activate", the app shows a fake update page but nothing really happens in terms of an update
The malware then loads another APK named test.apk from it's local storage using a technique referred to as a reflection attack - /data/data/content.mercenary.chiffon/app_dex/test.apk.

Reflection is the ability of a program to examine and modify the behavior of an object at run time, instead of compile time.

Personalized Ransom Screen:
The ransomware checks whether front camera is available or not. If available, it clicks photo of the victim while he/she is using the app and displays the image on ransom page.

Once installed malware connects to outsider servers and sends the information there
and Ultimately, the malware receives a custom ransom page upon run time in a multi-encoded response from the servers.
Once the response is received, the ransomware locks the phone and displays the following ransom screen message

FBI Case #98---------- ab -----
IP address -
Country -
Cellurar Network -
Offender Device – Generic Ransom 4.3
Android Version – 4.3
Your device has been blocked up for safety reasons listed below
All the actions performed on this device are fixed

Amount of fine 500$ you can setting the fine with Paypal My cash card.
As soon as the money arrives to the Treasury account your device will be unblocked and all information will be decrypted in course of 24 hours.

How to remove adult player ransom ware ?

Boot device into safe mode
 Safe mode boots the device with default settings without running third party apps. Uninstalling ransomware from device requires you to first remove administrator privilege.
To do the same, go to Settings --> Security --> Device Administrator and select ransomware app, then deactivate.
Once this is done, you can go to Settings --> Apps --> Uninstall ransomware app.

Reality views by sm -

Tuesday, September 8, 2015

Tags – Malware Adult Player Black Mail Ransom

2 comments:

Destination Infinity September 08, 2015  

hmm... what a way to make money. the law enforcement agencies around the world should get together to combat such cyber crimes.

Destination Infinity