Sex sells, and nowhere is that more true than the Chinese mobile landscape. Porn-themed malware has been hitting Android users in China, Japan, and Taiwan in recent weeks.
These malicious apps are distributed via SEO-optimized fake websites, with keywords targeting hot scandals and affairs used. These sites pretend to be porn video websites, and all lead to various malicious apps being downloaded. The use of adult-themed content echoes the one-click billing fraud app we’ve covered a few years back.
We found three different malware families distributed via these sites, but they all have the same behavior: they are used to distribute more malicious apps onto user devices. These are continuously pushed to users via pop-up notices:
Figure 1. Malware pushed as fake system update
One malicious app detected as AndroidOS_Souying.HRX includes integrated exploit code which can target various unsecure kernel driver vulnerabilities (including CVE-2012-6422, CVE-2013-2595, and CVE-2014-2273) to gain root access. With root privileges, rogue apps can be silently installed.
Figure 2. Kernel exploits targeting vulnerable drivers
Soon, the device will be filled up with various rogue apps:
Figure 3. Multiple malicious apps added to a single device
Some of the apps distributed in this manner pose as pornographic videos, but are used for fraud.
Fraudulent Porn Video
Four families of the malicious apps we found pose as pornographic video players. If the user clicks on any of the videos, the device will send premium SMS messages that cost the user money. In addition to this, a visible payment interface is also present. If the user pays, the app will ask for more money. In addition to videos, pornographic literature is also distributed this way. We detect these apps as:
Figure 4. Fake pornographic video player asking for approximately 3 USD
Fraudulent Social Dating
Alongside the above apps, fraudulent social dating apps are also present. These apps show “friendly” welcome messages that have been sent to the user by automated bots.
Figure 5. “Welcome” messages (including voice) from bots
If the victim believes these messages are “real” and wants to reply, the app will charge the user approximately 16 US dollars a month as payment.
We detected this malware as AndroidOS_LoveFraud.HRX. A large social dating website is behind this particular scheme. This site has a fairly simple registration process that doesn’t ask for a password, username, or address. This has allowed the company to get 190 million users; we believe that this count is inflated by this app.
A rogue game we detect as AndroidOS_Liangou.HBT drops a fake download manager. This download manager registers itself as a Device Administrator to prevent users from removing it easily. (AndroidOS_DownAdmin.HRX mentioned earlier does this as well.) If the user tries to deactivate the malicious app, the malware will lock the screen.
Figure 6. Malicious apps activated as Device Administrator
Figure 7. Malware pushed by fake Download Manager
In addition to malware, fraudulent advertisements are pushed as well.
Figure 8. iPhone 6 sales scam
We detect apps pushed to users this way as:
So who made these porn websites and apps?
The cybercriminals behind this attack use garbage words in their domains to host malicious services for a while, then change domains and servers. However, there are clues in some of the downloaded malware.
One of the apps detected as AndroidOS_Souying.HRX connects to the site a specific URL to download more malware. The domain of this URL belongs to an app promotion company located in Hangzhou, China. This company is responsible for distributing apps to users via pornographic websites and apps.
Developers hire this company to distribute apps for them. They do not appear to have a meaningful selection process, and their own app includes fraudulent routines as described in the Fraudulent Porn Video section. In addition, thousands of malicious apps are still hosted on their websites that are also connected to the above app promotion company.
It’s not only users in China that are affected by this threat. Feedback from our users suggests that users in Taiwan and Japan are being affected as well. It is possible that Chinese-speaking users in these countries are also being affected by this threat. The heat map below shows the parts of the world where these kinds of apps are being detected within the past 30 days:
Figure 9. Heat map of targeted users
Users of Trend Micro Mobile Security can scan apps before they are installed. If possible, we also recommend that users refrain from downloading apps outside of official sources like the Google Play store. Potential victims may also need to perform factory resets on their devices to clean any threats that have set thsemselves up as a device administrator.
Hashes of the related files are as follows: