During our continued efforts to protect our customers against the latest mobile threats, we came across another malicious app that used pornography to attract users. Noting that 1 in 5 mobile searches are related to porn, it’s no surprise that hackers continue to create fake porn apps to disguise malware. Our researchers analyzed another similar adult themed malware in November last year.
App Name: 岛国速播
Package Name: ugo.jkh.efp
VirusTotal Detection: 15/55
The application in question is presented as a porn player. When the user clicks on the application icon, he or she will be presented with thumbnails to many porn videos. When the user tries to play one of these videos, the application will download 3 files in the background and a shortcut will be placed on the main page of the device. The application also requests on-demand videos via SMS – costing the user money without them knowing. The 3 dropped files are also depicted as porn players. When the user clicks on videos shown in these applications, they again drop more files to the device – resulting in a never-ending process. Some of these dropped files have icons that look similar to the Internet Explorer and Angry Birds applications for the sole purpose of scamming the user. However, these dropped applications are actually SMS stealers or fake installers.
Upon launching the application, you will be able to see a list of obscene videos. When you click on any of those videos, instead of playing them the malware drops 3 additional porn applications on the device.
When the user tries to play a video from the application, a JAR file is downloaded from the link hxxp://link[.]kssgx[.]com/cj[.]jar. This URL is stored in the application in the following fashion:
|cj.jar URL formation|
Subsequently it fetches another URL from the downloaded cj.jar, which is then used to drop multiple malicious apps to the user’s device. The link for downloading the dropper files are stored in an xml file, the link to which is present in cj.jar
|URL for XML file|
This xml file contains the URL for downloading the dropper files.
|XML file contents|
All the downloaded files have been flagged malicious by multiple AV vendors. Here are links to 3 malicious APK files dropped on the device by the main application:
- hxxp://www0127[.]007wr[.]com/a[.]php?aid=1313 – Qvodplayer1001.apk
- hxxp://csu[.]hsouying[.]com/IJjyMj – this gets redirected to hxxp://appcdn[.]hsouying[.]com/video/appstore1/destapk/1457085498605/avplay02039[.]apk
This application downloads yet another file from the link hxxp://cdn2[.]upay360[.]cn/pack[.]dat. This is a jar file, which shows some really shady behavior. This jar file uses 3 broadcast receivers:
|POST request for SMS|
|Device Details in post request|
The victim can traverse to Settings option in the Android device.
- Settings –> Apps
- Find the app in the list and click on it
- Then, click on Uninstall option
- Click Ok
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.