Porn-themed Android Ransomware Takes Your Picture Before Asking For Money

An anonymous reader writes with a link to The Stack's report that researchers at security firm zScaler have spotted a clever new variety of Android-based ransomware, which takes advantage of phones' built-in cameras to add a personal touch; it activates the camera to take a snapshot of the user, which is then incorporated into its blackmail note. "The crudely-planned app features an extraordinarily demanding privacy/functionality swap at install, and proceeds to demand a $500 'FBI fine' via PayPal, rather than any of the cryptocurrencies which most ransomware authors currently favour."

If they took my picture...

[Anonymous Coward]

They'd send me money and tell me to go see a plastic surgeon.

When using this app, keep your phone pointed down

[mykepredko]

Unless, you have some unusual moles or tattoos down there.

That way, when the ransomeware comes in you can say "That little thing isn't my junk!"

Re:

[andyjb]

i was clearly sneezing

Re:

[St.Creed]

Good point. The editor should have realized we're not even reading the summaries nowadays.

Is this amateur hour?

[jandrese]

A Paypal account? Paypal locks your account if you so much as blink too fast or too slow. They're never going to see the money. Plus, what is their plan for getting the money out? Having Paypal mail them a check?

Re:

[ColdWetDog]

It's the FBI silly. Paypal will give the FBI money - no problemo. They're the good guys.

Re:

[jandrese]

I have to wonder if the scammers insist that they Paypal the money to their "official FBI address", something like: alexey.petrakov@yandex.ru.

Re:

[jandrese]

Oh yes, that totally sounds like something the government would do. How silly of me.

Just the first stage.

[jc42]

It's probably just a matter of time, perhaps not much time, before some entrepreneurs figure out that is a generally-useful marketing tactic. We can expect that the little "selfie" cameras on phones and tablets are being turned on briefly by assorted ads delivered along with the web page you looked at, and sent back to the mother ship for later use. You won't have to go through the bother of signing in or otherwise identifying yourself, since your ISP/cell company can supply them with that info (for a pr

Re:

[jc42]

It says "I'm with stupid", but with no arrow.

Hey, where can I get one of those?

Re:

[jandrese]

More smartphone cases should have a little slider that you can slip over the cameras when you are not using them. I know the original manufacturer is already hamstrung by the size of the lenses relative to the thickness of their phones, but case manufacturers have more leeway.

Why would I care?

[JustAnotherOldGuy]

Why would I care if they had my picture, what exactly does that prove or how does it harm me?

Personally, ransomware authors should be hunted down and shot, but I think having my picture and claiming that it came from some porn app is a pretty weak threat.

Re:

[Tablizer]

Why would I care if they had my picture, what exactly does that prove or how does it harm me?

Maybe you are younger or in better shape. I'm sure my coworkers and relatives would have a hardy laugh at my expense if my cam caught me at the wrong time. Let's just say some things are too big and other things are too small.

Re:

[Tablizer]

I'm assuming it would take periodic or random pictures or frame sets, and sift for those showing the "most" via either cheap 3rd world labor or AI. If the hacker(s) doesn't do that now, it will probably evolve that way within this crime group or a new group inspired by this one.

To reduce (suspicious) bandwidth, an on-phone algorithm may use simpler AI or criteria to find candidate pics or sequences, and forward only those that look promising back to base to be further scrutinized. That way the phone is not

Re:

[JustAnotherOldGuy]

Maybe you are younger or in better shape.

Neither, which is probably why I wouldn't care. (If any gets off looking at me, they have bigger problems than a wad of cash will solve.)

Re:

[gstoddart]

Oh, I don't know ... a picture showing what was on screen, a picture of you making your O-face, and a timestamp showing you were fapping to "teenage girls with donkey" when you should have been working might do it.

That it's taken this long actually surprises me.

Blackmail only works if the people care if you release the images or not ... but in this case they've also probably locked you out of your phone.

The problem is that apps demand a lot of permissions they don't really need, and people just give it to t

Re:

[JustAnotherOldGuy]

Oh, I don't know ... a picture showing what was on screen, a picture of you making your O-face, and a timestamp showing you were fapping to "teenage girls with donkey" when you should have been working might do it.

I still wouldn't care. That's tame compared to what they could catch me doing.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tablizer]

...as a sysadmin...[I] find this crap installed...I keep a folder of mugshots as a trophy for removing this garbage app.

Isn't that risky? A mistake or hackers might uncover the pile. It's probably safer to delete them ASAP. And I assume by "mugshot" you mean more than just a face.

Re:

[Infiniti2000]

nimbius calls it a garbage app, but then does exactly the same thing. Hypocrisy at its finest. Oh wait, let's hear from nimbius, "No, I wasn't going to do anything with those pictures, honest! No, seriously, I'm a good guy. I just like storing pictures of people I barely know for no good reason, against their wishes."

Re:

[sociocapitalist]

I keep a folder of mugshots as a trophy for removing this garbage app.

Of course you're getting signed permission from these users to keep those pics so that you don't end up in jail yourself.

Re:

[TheCarp]

Of course he also didn't say whether or not he asks for permission to keep the photos. Seems like a bit of an unwarranted assumption to leap right from "I keep a dump" to "I keep a copy whether they like it or not".

Re:

[amRadioHed]

Are you kidding? Who the hell would approve if their IT guy shows up and says "hey your phone took some pictures of you using your phone at random times, mind if I keep them?"

Re:

[TheCarp]

Um, I would, tho, I would want to see them first.

Learn from laptops & desktops

[Tablizer]

Perhaps it's time to have hardware covers on phone cams and perhaps a red "open" light and notice beep. Whether they are manual or auto-open is an issue to consider.

It's all still too complicated

[tinkerton]

My ransomware app just randomly posts a message "I know what you've been doing!" with a mention of my paypal account.

Re:

[Agripa]

I was hot, and I was hungry.

Not possible on BlackBerry

[Rigel47]

You have to deliberately grant an app access to the camera at install time. It's nice to have fine-grained access controls. For example, Evernote wants access to my microphone but since that's a future I never use, it gets denied.

Re:

[mlts]

iOS is similar. The latest version of Android offers this... but only if the app maker allows it in the manifest. Otherwise, if you want to protect your camera, you physically do something with the phone or you use xPrivacy so the app has full and free reign to access what it thinks is the camera... but in reality is just getting a black screen.

Android's all or nothing permission model is the ecosystem's biggest weakness. How many users even care what the fleshlight app they downloaded use for permission

Extraordinary demands?

[Opportunist]

Yeah, sure, the porn movie wanted to use my phone book, camera, text message system, install programs, modify programs, kill my firstborn and hotwire my car. But ... but PORN!

Re:

[Anonymous Coward]

(Not a smartphone expert) It would be nice if instead of having to grant all permissions to install an app, one could uncheck various permissions and install anyways knowing that functionality would be reduced or broken. 90% of the time the extra permissions are for features I don't want but there is no similar app without those features.

Re:

[franciscohs]

Permissions in Android are seriously broken. Much better the way iPhone does it, it doesn't ask for any permission at install time, when the app needs to use whatever, it will ask the moment it needs it. This way as a user it's much easier to identify the reason why the app is asking for this permission. For example if a text message app uses the microphone for phone calls, even if you didn't know this was a feature of the app, the first time you discover the feature it will ask permission as opposed to And

Constant mistrust

[ChromaticDragon]

The photo thing here is an interesting twist here.

But this attack vector seems to require the end-user to authorize things a number of times along the way. As stated in the article the real problem/danger is folk willy-nilly installing apps from heaven knows who.

I wonder if/when these things will simply never unlock the device. Just keep asking for more money. Or unlock it lock it again for no reason randomly in the future.

We seem to have reached a strange point with communications technology. We're bar

Re:

[neo-mkrey]

How is that a bad thing?

Highlights a deficiency in "Unknown sources"

[tepples]

From the featuerd article: "To avoid being victim of such ransomware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device."

How does the plural work in "trusted app stores"? Since when has Android allowed the user to specify which other repositories are worthy of trust? I thought "Unknown sources" was just a binary choice between Google only and everything, as opposed to the ability to create a middle ground of trusting Google, Amazon, F-Droid, and no other sources.

Re:

[mjwx]

From the featuerd article: "To avoid being victim of such ransomware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device."

How does the plural work in "trusted app stores"? Since when has Android allowed the user to specify which other repositories are worthy of trust? I thought "Unknown sources" was just a binary choice between Google only and everything, as opposed to the ability to create a middle ground of trusting Google, Amazon, F-Droid, and no other sources.

Google and Android operate on the theory that if you enable unknown sources you are smart enough to figure out what is and isn't safe for yourself.

The problem Google has is that they have no control over sources outside of their own, so they cant take any responsibility for it.

Why won't it read?

[sacrilicious]

"The crudely-planned app features an extraordinarily demanding privacy/functionality swap at install, and proceeds to demand a $500 'FBI fine' via PayPal, rather than any of the cryptocurrencies which most ransomware authors currently favour."

If only more people were in the habit of reading EULAs before using an app, this kind of thing wouldn't be so prevalent.

composition

[kencurry]

How do they get a picture of you and what you are looking at together? If it is a mash up, couldn't they just mash up your face (pic they took) with some disgusting porn pic anyway?

I don't get it.

Which is it?

[sglewis100]

Is it clever or crudely planned? The article suggests it's both.

PayPal vs Bitcoin

[trawg]

The most interesting thing in the summary is that they're using PayPal over Bitcoin (or other cryptocurrencies). Is this because they're clueless noobs who can't be bothered to figure out how to use Bitcoin? Is it because PayPal is so terrible at stopping accounts engaged in this kind of abuse that they can still make a shitload of money before they're blocked? Is it because they've found Bitcoin is not useful or flexible enough?! So many questions!

Re:

[franciscohs]

Or because it's much more likely that the user that is willing to pay won't have a clue on how to send money using bitcoin so they risk using paypal and getting some money before they are discovered?

Re:

[trawg]

Another good hypothesis!

The application of common sense

[DrXym]

Installing an app asking for every permission under the sun / admin rights to watch porn is a terrible idea. I wouldn't be surprised if the app itself came from a dodgy warez site. Though I've also seen sites where a dodgy banner ad immediately starts pushing an apk - literally visit the site from a phone and next thing you know an apk is downloading. It's a terrible security flaw in browsers that they don't stop this.

Re:Be prepared to wipe your phone at any time?

[ColdWetDog]

I'm not sure I get this. Who's walking around with a phone that they're not prepared to wipe at a moment's notice anyway?

Everyone else on the planet.

Re:

[ripvlan]

I wiped my iPhone once (OS update didn't go according to plan). I restored to the last backup (previous night). It worked, everything synced and life went back to normal in an hour.

However - if my previous backup had had the bad-actor already on it I'm not sure this plan would have worked. One might need a Restore from Day X feature.

I had other concerns such as - were my photos safe? Most content is pull (podcasts, movies, music) and I'm not worried about that - download again. Content created on

Re:Be prepared to wipe your phone at any time?

[trevc]

The VAST majority of smartphone users.

Exactly. They are smartphone users not smart phone users.

Re:Be prepared to wipe your phone at any time?

[bondsbw]

Perhaps parents whose recent photos of their child haven't yet been backed up? Someone who simply doesn't want to go through the hassle? Can we assume that quite a majority of users don't use their devices in the most perfectly organized manner possible?

"You should always be prepared to wipe" is not an excuse for the poor security that comes standard on many phones. I see tons of complaints here about how crappy the Apple and Microsoft walled-gardens are. Which I agree with. But instead of the same comments lambasting that approach, I'd like to see insightful conversations focusing on securing Android and making the iOS/Windows approaches more flexible.

Re:

[KingMotley]

They will learn the first time that they drop their device and it breaks. Or they lose it.

Re:

[JustAnotherOldGuy]

Would it matter if that picture was being passed onto a server somewhere where someone could post it publicly and show that you were a dirty bird looking at something you'd rather not have your peers know you're looking at?

It wouldn't matter to me, but some prudes or hypocrites might get all pissy about it.

Re:

[geekmux]

I'm not sure I get this. Who's walking around with a phone that they're not prepared to wipe at a moment's notice anyway?

I'm sure you're living quite the lifestyle there Mr. Bond, but the rest of society doesn't usually walk around prepared to instantly wipe their damn life from their electronica at a "moment's notice" like you obviously do.

On top of that, let's talk about the technology that everyone would rely upon if they were actually ready and willing to instantly wipe their devices, as if we've not proven time and time again that the infamous "cloud" is about as secure as a wet paper sack...

Re:

[PopeRatzo]

I'm sure you're living quite the lifestyle there Mr. Bond, but the rest of society doesn't usually walk around prepared to instantly wipe their damn life from their electronica at a "moment's notice"

Exactly. Most of us carry burner phones that we can just toss in the trash at a moment's notice like Raymond Reddington.

Re:

[Stan92057]

What are you doing that you even have to think about wiping your phone?lol And no, i haven't a clue how to wipe my phone. For what reason/reasons would i need too?

Re:

[PopeRatzo]

And no, i haven't a clue how to wipe my phone.

What he meant to say was wipe with your phone. It's not particularly comfortable but it saves a bundle on Charmin Ultra Soft.

Re:

[mlts]

It does advance the concept of the paperless office, though.

Re:

[vux984]

What are you doing that you even have to think about wiping your phone?lol And no, i haven't a clue how to wipe my phone. For what reason/reasons would i need too?

Knowing how to wipe it, and being willing to have it wiped are completely separate issues.

If you lost your phone or it fell into a sink or caught fire what would you lose? Me, I'd lose some photos, I'd be annoyed at the data loss. (And more annoyed at needing a new phone.) But the data loss wouldn't bother me, and I wouldn't pay $10 to a ransom to get it back, nevermind $500.

The question is who has $500 worth of irreplaceable stuff on their phone?

Re:

[Stan92057]

I,m just an adv guy, i have zero on my phone except phone numbers. Every image Ive ever taken i uploaded to my PC and got printed out If i want to save them.

Re:

[xxxJonBoyxxx]

>> What are you doing that you even have to think about wiping your phone?

Working for a corporation. What did you think that app they asked to install on your phone (for BYOD) does?

>> And no, i haven't a clue how to wipe my phone.

Your IT department might.

Re:

[Stan92057]

Dude lol i am a normal everyday guy i don't work for any corporation or IT department.

Re:

[Anonymous Coward]

Good point. I wipe my phone after every porn viewing session. I learned that lesson the hard way. It ain't no fun getting an earful of goo.

Re:

[Falos]

> (Score:2, Informative)
Alright guys. Society's hygiene standards are varied and mostly superfluous; I'm not here to tell you to shower every twelve hours. But there is a line, it's called "sanitary", whereafter actual consequences follow.

I don't mind most stereotypes and stigmas, but much like disease control I want everyone to keep an eye on that breakpoint.

So anyway, depending on your use, you might want to check the phone before you start.

Re:

[gstoddart]

Who's walking around with a phone that they're not prepared to wipe at a moment's notice anyway?

Oh come on ... that question is so naive, simple, or stupid as to defy belief.

The percentage of tech-savvy, leery, paranoid people who distrust their phone and haven't built their lives around it is vanishingly small.

Everyone else doesn't know, doesn't care, and as long as they have shiny baubles and new games to play ... doesn't give a shit about this stuff.

If you "don't get this" it's because you've allowed you

Re:

[khellendros1984]

Google, Apple, and Microsoft all push hard for you to use their cloud services, automatically uploading your data to their servers.. Someone non-technical is likely to just go for the default options, which amounts to handing all your data over to $phone_vendor.

My parents fairly regularly have to reflash their iPhones due to upgrade problems. My wife has lost her phone more than once and needed a replacement; she generally distrusts technology, so she doesn't rely on her phone much anyhow. Her conta

Re:

[mlts]

In theory, it is a good thing to have that ability, so if someone loses their phone in an outhouse or it gets grabbed, it can be erased.

With iOS, iCloud backups combined with one's cloud provider of choice to back up photos/movies in real time helps here.

With Android, it is a bit harder. Google's restore mechanism is laughable, so to restore data, the best thing is to have a cloud provider for photos/movies, and use a backup utility like Titanium Backup which not just can back up apps... but actually encry

Re:

[Chris Mattern]

Wiping the phone does you no good because they already have your picture--the phone sent it to them.

Re:

[porges]

Isn't the picture just window dressing, though? The ransom is to unlock your phone, not delete your picture. (The FBI warning is obviously fake.)

I think "wipe and reinstall" on iOS is no problem, because that's what it does when I get a new iPhone: during setup it logs into your iCloud/iTunes/etc and replicates everything from your old phone onto your new phone (except passwords). I'd expect wipe and reinstall to do the exact same thing. Android, I don't know.