Your Android device can get infected with this ransomware if you download a malicious app (that goes by the name \u2018Porn Hub\u2019) on third-party app stores or by receiving the app via electronic transfer mediums (Bluetooth, emails, file sharing sites, etc.)<\/p>\n
Analysis of Porn Hub app ransomware<\/strong><\/p>\n AppName: Porn Hub After the ransomware locks down your device, it displays a ransom note where it demands a ransom of an iTunes gifts card worth $200 as a penalty for watching child pornography. An URL is displayed in the ransom note (fig 1). This happens if your device is connected to the Internet.<\/p>\n If your device is not connected to the Internet, the ransom note displays a different message. In this one, it says that all your files have been encrypted and that you must pay a ransom of $100 worth Bitcoins in order to unlock the device and decrypt the data (fig 2).<\/p>\n In our analysis, however, we found no instances where the infected device\u2019s data is encrypted by this ransomware. Moreover, the malicious app (\u2018Porn Hub\u2019) does not have any encryption code. This means you can retrieve your personal information by connecting the device to your PC.<\/p>\n Technical<\/strong> Analysis<\/strong><\/p>\n When we tried opening the malicious app, it asked us to activate the Device Administrator rights. We selected \u2018cancel\u2019 but the app kept repeating the same activity until we selected the \u2018activate\u2019 option.<\/p>\n Once activated, the app checked if the device is connected to the Internet. When the device was online, the app collected device data such as device ID and sim operator. This data was sent to a certain URL (https:\/\/*******.w*n\/\/private\/tuk_tuk.php) which loads the webpage demanding the iTunes gift card (fig 1).\u00a0 And when the device was offline, the app loaded an HTML page demanding Bitcoins (fig 2).<\/p>\n Here, the URL and HTML page content is encrypted using Base64. The Base64 encoded strings are decoded as shown in fig 4.<\/p>\n Analysis of fake Dropbox app ransomware<\/strong><\/p>\n \u00a0<\/strong>AppName: Dropbox \u00a0<\/strong>Quick Heal Security Labs found another malicious app hiding a ransomware which demands iTunes gift cards as a ransom. This app uses the icon of Dropbox (a famous a file hosting service). When we opened this app, it asked us to activate the Device Administrator rights (fig 6), just like the app we discussed earlier.<\/p>\n Once activated, the ransomware displays a ransom note claiming that the device has been locked by the Federal Bureau of Investigation (FBI) as a penalty for watching child pornography. To unlock the device, an iTunes gift card worth $25 has to be paid within 72 hours (fig 7).<\/p>\n The ransom note asks the user to enter an iTunes gift card code of the demanded value. If the user enters a wrong code, a message is displayed saying that the user is now left only with 2 attempts after which the device will be locked permanently (fig 8).<\/p>\n In our analysis, however, we found that the warning is fake and only shown to threaten the user into paying up the ransom.<\/p>\n Quick Heal Detection<\/strong><\/p>\n Quick Heal successfully detects both these ransomware as Android.Locker.Aa54f<\/strong> and Android.Locker.Aa550<\/strong>.<\/p>\n It is strongly recommended not to pay any ransom because there is no guarantee that you will get your files back or have your device unlocked even after paying the ransom.<\/p>\n \u00a0<\/strong>How to stay safe from Android ransomware <\/strong><\/p>\n \u00a0<\/strong>Subject Matter Expert<\/strong> Typically, a ransomware will demand money or cryptocurrency after it has locked down your computer or phone or encrypted its data. But, Quick Heal Security Labs has spotted an Android ransomware that demands iTunes gift cards after it locks down the infected device. These gift cards can be sold on auction sites, social media or […]<\/p>\n","protected":false},"author":12,"featured_media":85318,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-85304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85304"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=85304"}],"version-history":[{"count":5,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85304\/revisions"}],"predecessor-version":[{"id":85322,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85304\/revisions\/85322"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/85318"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=85304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=85304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=85304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n<\/em>Package name: com.pornhub_tools
\n<\/em>MD5: 9fadc90562ce6e275eb6db8e6ca6ddad
\n<\/em>Size: 39KB<\/em><\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/fig-1-234x390.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/fig-1--234x390.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/fig-2-234x390.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/Code_snippet_for_connecting_URL_or_loading_HTML_page-650x77.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/HTML_code_shown_in_fig-2-650x308.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/Code_snippet_of_the_device\u2019s_data_collection_and_URL_generation-650x257.png\")
\n<\/em>Package name: com.example.testlock
\n<\/em>MD5: 17bc088027d2f3f71a74beed3a9c715
\n<\/em>Size: 415KB<\/em><\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/fig-5-234x390.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/fig-6-234x390.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/fig-6--234x390.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/12\/fig-7-234x390.png\")
\n
\nRupali Parate | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"