Android Ransomware Attack: Fake PornHub App Hides Ransomware

Android users in the United States are the target of a ransomware campaign that hides its malicious software behind the appearance of adult-themed Android apps.

The campaign has spread a strain of the Koler ransomware to Android devices across the country by tricking targets into downloading a fake app designed to look like an app from PornHub, one of the most frequented porn sites in the U.S.

Read: Android Malware: Google Removes Apps That Contain Trojan

First discovered by malware researcher Lakas Stefanko of security firm ESET, the attack appears to have been spread via advertisements displayed on other pornographic websites. The ads encouraged users to download the supposed PornHub app to view their content, but would instead redirect the user to install a phony app used to distribute ransomware.

The attack hit users who have their devices set to allow the installation of third-party apps; Android users who only allow installation of apps from the Google Play Store were likely protected from the attack spreading to their devices.

For those who weren’t so lucky, the app would install on the device, grant itself administrative rights and hijack control over the phone or tablet.

Using its administrative privileges, the Koler ransomware displays its ransom message — one designed to look like a message from the FBI claiming the user’s attempts to visit “forbidden pornographic sites” has resulted in the device being locked. The message includes a demand for a $500 penalty to be paid within three days to unlock the device.

Read: WannaCry Ransomware: Fake Antivirus Apps For Android Don't Protect Against Malware Attacks

Koler ransomware is not new. It first appeared in 2014 and has been hassling unlucky Android users ever since through similar campaigns. While the malicious software often comes with a geo-targeting feature that generates a ransom note in different languages based on the victim’s location, the PornHub attack offers its message only in English. That, combined with the FBI imagery in the ransom note, suggests the attack is primarily targeting Americans.

Users do have a few options for avoiding the attack, primary among them being the utilization of security tools that can catch malicious software before it gains undue access to a device. Because Koler is a known attack, many antivirus tools for Android should identify and halt the installation of the code when it’s spotted in a download.

Users also may want to ensure their devices are configured in a way to prevent the installation of apps from third-party sources. While doing so will limit the user to installing apps found only in the Google Play Store — which has been known to allow malware through the cracks on occasion itself — it will also limit the likelihood of being hit by a malicious attack that takes advantage of lax security settings.

Open up the Settings app and choose the option for Applications. In the menu, there should be an option that says “Unknown sources.” If the check box next to that option is selected, it means third-party installations are allowed. Uncheck the box to prevent such installations from happening. In some versions of Android, the option may be found under Lock Screen and Security.

Finally, for users who have already been victimized by the attack and want to regain access, it’s possible to do so without forking over the $500 demand.

Shut down the device and boot in safe mode by holding down both the volume up and volume down buttons on the device while it launches. Apps installed on the device are disabled in this mode and can be removed. Find the ransomware in the admin group, remove its access, and uninstall the fake PornHub app.