Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Security

Porn-themed Android Ransomware Takes Your Picture Before Asking For Money 108

An anonymous reader writes with a link to The Stack's report that researchers at security firm zScaler have spotted a clever new variety of Android-based ransomware, which takes advantage of phones' built-in cameras to add a personal touch; it activates the camera to take a snapshot of the user, which is then incorporated into its blackmail note. "The crudely-planned app features an extraordinarily demanding privacy/functionality swap at install, and proceeds to demand a $500 'FBI fine' via PayPal, rather than any of the cryptocurrencies which most ransomware authors currently favour."
This discussion has been archived. No new comments can be posted.

Porn-themed Android Ransomware Takes Your Picture Before Asking For Money

Comments Filter:
  • by Anonymous Coward on Tuesday September 08, 2015 @10:22AM (#50478719)

    They'd send me money and tell me to go see a plastic surgeon.

  • Unless, you have some unusual moles or tattoos down there.

    That way, when the ransomeware comes in you can say "That little thing isn't my junk!"

  • by jandrese ( 485 ) <kensama@vt.edu> on Tuesday September 08, 2015 @10:29AM (#50478785) Homepage Journal
    A Paypal account? Paypal locks your account if you so much as blink too fast or too slow. They're never going to see the money. Plus, what is their plan for getting the money out? Having Paypal mail them a check?
    • It's the FBI silly. Paypal will give the FBI money - no problemo. They're the good guys.

      • by jandrese ( 485 )
        I have to wonder if the scammers insist that they Paypal the money to their "official FBI address", something like: alexey.petrakov@yandex.ru.
  • by jc42 ( 318812 )

    It's probably just a matter of time, perhaps not much time, before some entrepreneurs figure out that is a generally-useful marketing tactic. We can expect that the little "selfie" cameras on phones and tablets are being turned on briefly by assorted ads delivered along with the web page you looked at, and sent back to the mother ship for later use. You won't have to go through the bother of signing in or otherwise identifying yourself, since your ISP/cell company can supply them with that info (for a pr

    • by jandrese ( 485 )
      More smartphone cases should have a little slider that you can slip over the cameras when you are not using them. I know the original manufacturer is already hamstrung by the size of the lenses relative to the thickness of their phones, but case manufacturers have more leeway.
  • Why would I care if they had my picture, what exactly does that prove or how does it harm me?

    Personally, ransomware authors should be hunted down and shot, but I think having my picture and claiming that it came from some porn app is a pretty weak threat.

    • by Tablizer ( 95088 )

      Why would I care if they had my picture, what exactly does that prove or how does it harm me?

      Maybe you are younger or in better shape. I'm sure my coworkers and relatives would have a hardy laugh at my expense if my cam caught me at the wrong time. Let's just say some things are too big and other things are too small.

      • Maybe you are younger or in better shape.

        Neither, which is probably why I wouldn't care. (If any gets off looking at me, they have bigger problems than a wad of cash will solve.)

    • Oh, I don't know ... a picture showing what was on screen, a picture of you making your O-face, and a timestamp showing you were fapping to "teenage girls with donkey" when you should have been working might do it.

      That it's taken this long actually surprises me.

      Blackmail only works if the people care if you release the images or not ... but in this case they've also probably locked you out of your phone.

      The problem is that apps demand a lot of permissions they don't really need, and people just give it to t

      • Oh, I don't know ... a picture showing what was on screen, a picture of you making your O-face, and a timestamp showing you were fapping to "teenage girls with donkey" when you should have been working might do it.

        I still wouldn't care. That's tame compared to what they could catch me doing.

  • Re: (Score:2, Interesting)

    Comment removed based on user account deletion
    • by Tablizer ( 95088 )

      ...as a sysadmin...[I] find this crap installed...I keep a folder of mugshots as a trophy for removing this garbage app.

      Isn't that risky? A mistake or hackers might uncover the pile. It's probably safer to delete them ASAP. And I assume by "mugshot" you mean more than just a face.

      • nimbius calls it a garbage app, but then does exactly the same thing. Hypocrisy at its finest. Oh wait, let's hear from nimbius, "No, I wasn't going to do anything with those pictures, honest! No, seriously, I'm a good guy. I just like storing pictures of people I barely know for no good reason, against their wishes."
    • I keep a folder of mugshots as a trophy for removing this garbage app.

      Of course you're getting signed permission from these users to keep those pics so that you don't end up in jail yourself.

  • Perhaps it's time to have hardware covers on phone cams and perhaps a red "open" light and notice beep. Whether they are manual or auto-open is an issue to consider.

  • My ransomware app just randomly posts a message "I know what you've been doing!" with a mention of my paypal account.

  • You have to deliberately grant an app access to the camera at install time. It's nice to have fine-grained access controls. For example, Evernote wants access to my microphone but since that's a future I never use, it gets denied.
    • by mlts ( 1038732 )

      iOS is similar. The latest version of Android offers this... but only if the app maker allows it in the manifest. Otherwise, if you want to protect your camera, you physically do something with the phone or you use xPrivacy so the app has full and free reign to access what it thinks is the camera... but in reality is just getting a black screen.

      Android's all or nothing permission model is the ecosystem's biggest weakness. How many users even care what the fleshlight app they downloaded use for permission

  • by Opportunist ( 166417 ) on Tuesday September 08, 2015 @11:18AM (#50479195)

    Yeah, sure, the porn movie wanted to use my phone book, camera, text message system, install programs, modify programs, kill my firstborn and hotwire my car. But ... but PORN!

    • by Anonymous Coward

      (Not a smartphone expert) It would be nice if instead of having to grant all permissions to install an app, one could uncheck various permissions and install anyways knowing that functionality would be reduced or broken. 90% of the time the extra permissions are for features I don't want but there is no similar app without those features.

      • Permissions in Android are seriously broken. Much better the way iPhone does it, it doesn't ask for any permission at install time, when the app needs to use whatever, it will ask the moment it needs it. This way as a user it's much easier to identify the reason why the app is asking for this permission. For example if a text message app uses the microphone for phone calls, even if you didn't know this was a feature of the app, the first time you discover the feature it will ask permission as opposed to And

  • The photo thing here is an interesting twist here.

    But this attack vector seems to require the end-user to authorize things a number of times along the way. As stated in the article the real problem/danger is folk willy-nilly installing apps from heaven knows who.

    I wonder if/when these things will simply never unlock the device. Just keep asking for more money. Or unlock it lock it again for no reason randomly in the future.

    We seem to have reached a strange point with communications technology. We're bar

  • From the featuerd article: "To avoid being victim of such ransomware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device."

    How does the plural work in "trusted app stores"? Since when has Android allowed the user to specify which other repositories are worthy of trust? I thought "Unknown sources" was just a binary choice between Google only and everything, as opposed to the ability to create a middle ground of trusting Google, Amazon, F-Droid, and no other sources.

    • by mjwx ( 966435 )

      From the featuerd article: "To avoid being victim of such ransomware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device."

      How does the plural work in "trusted app stores"? Since when has Android allowed the user to specify which other repositories are worthy of trust? I thought "Unknown sources" was just a binary choice between Google only and everything, as opposed to the ability to create a middle ground of trusting Google, Amazon, F-Droid, and no other sources.

      Google and Android operate on the theory that if you enable unknown sources you are smart enough to figure out what is and isn't safe for yourself.

      The problem Google has is that they have no control over sources outside of their own, so they cant take any responsibility for it.

  • "The crudely-planned app features an extraordinarily demanding privacy/functionality swap at install, and proceeds to demand a $500 'FBI fine' via PayPal, rather than any of the cryptocurrencies which most ransomware authors currently favour."

    If only more people were in the habit of reading EULAs before using an app, this kind of thing wouldn't be so prevalent.

  • by kencurry ( 471519 ) on Tuesday September 08, 2015 @12:24PM (#50479837)
    How do they get a picture of you and what you are looking at together? If it is a mash up, couldn't they just mash up your face (pic they took) with some disgusting porn pic anyway?

    I don't get it.
  • Is it clever or crudely planned? The article suggests it's both.
  • by trawg ( 308495 ) on Tuesday September 08, 2015 @12:48PM (#50480193) Homepage

    The most interesting thing in the summary is that they're using PayPal over Bitcoin (or other cryptocurrencies). Is this because they're clueless noobs who can't be bothered to figure out how to use Bitcoin? Is it because PayPal is so terrible at stopping accounts engaged in this kind of abuse that they can still make a shitload of money before they're blocked? Is it because they've found Bitcoin is not useful or flexible enough?! So many questions!

    • Or because it's much more likely that the user that is willing to pay won't have a clue on how to send money using bitcoin so they risk using paypal and getting some money before they are discovered?

  • Installing an app asking for every permission under the sun / admin rights to watch porn is a terrible idea. I wouldn't be surprised if the app itself came from a dodgy warez site. Though I've also seen sites where a dodgy banner ad immediately starts pushing an apk - literally visit the site from a phone and next thing you know an apk is downloading. It's a terrible security flaw in browsers that they don't stop this.

One small step for man, one giant stumble for mankind.

Working...