Pornographic-themed Malware Hits Android Users in China, Taiwan, Japan

Sex sells, and nowhere is that more true than the Chinese mobile landscape. Porn-themed malware has been hitting Android users in China, Japan, and Taiwan in recent weeks.

These malicious apps are distributed via SEO-optimized fake websites, with keywords targeting hot scandals and affairs used. These sites pretend to be porn video websites, and all lead to various malicious apps being downloaded. The use of adult-themed content echoes the one-click billing fraud app we’ve covered a few years back.

We found three different malware families distributed via these sites, but they all have the same behavior: they are used to distribute more malicious apps onto user devices. These are continuously pushed to users via pop-up notices:

Figure 1. Malware pushed as fake system update

One malicious app detected as AndroidOS_Souying.HRX includes integrated exploit code which can target various unsecure kernel driver vulnerabilities (including CVE-2012-6422, CVE-2013-2595, and CVE-2014-2273) to gain root access. With root privileges, rogue apps can be silently installed.

Figure 2. Kernel exploits targeting vulnerable drivers

Soon, the device will be filled up with various rogue apps:

Figure 3. Multiple malicious apps added to a single device

Some of the apps distributed in this manner pose as pornographic videos, but are used for fraud.

Fraudulent Porn Video

Four families of the malicious apps we found pose as pornographic video players. If the user clicks on any of the videos, the device will send premium SMS messages that cost the user money. In addition to this, a visible payment interface is also present. If the user pays, the app will ask for more money. In addition to videos, pornographic literature is also distributed this way. We detect these apps as:

• AndroidOS_DownAdmin.HRX
• AndroidOS_Porner.OPS
• AndroidOS_Souying.HRX
• AndroidOS_Curious.HRX

Figure 4. Fake pornographic video player asking for approximately 3 USD

Fraudulent Social Dating

Alongside the above apps, fraudulent social dating apps are also present. These apps show “friendly” welcome messages that have been sent to the user by automated bots.

Figure 5. “Welcome” messages (including voice) from bots

If the victim believes these messages are “real” and wants to reply, the app will charge the user approximately 16 US dollars a month as payment.

We detected this malware as AndroidOS_LoveFraud.HRX. A large social dating website is behind this particular scheme. This site has a fairly simple registration process that doesn’t ask for a password, username, or address. This has allowed the company to get 190 million users; we believe that this count is inflated by this app.

Fraudulent Advertising

A rogue game we detect as AndroidOS_Liangou.HBT drops a fake download manager. This download manager registers itself as a Device Administrator to prevent users from removing it easily. (AndroidOS_DownAdmin.HRX mentioned earlier does this as well.) If the user tries to deactivate the malicious app, the malware will lock the screen.

Figure 6. Malicious apps activated as Device Administrator

Figure 7. Malware pushed by fake Download Manager

In addition to malware, fraudulent advertisements are pushed as well.

Figure 8. iPhone 6 sales scam

We detect apps pushed to users this way as:

• AndroidOS_Durian.HBT
• AndroidOS_HHPlug.HBT
• AndroidOS_McsApp.HNT
• AndroidOS_SMSSnow.HRX
• AndroidOS_Youai.HBT
• AndroidOS_UUAd.HRX

So who made these porn websites and apps?

The cybercriminals behind this attack use garbage words in their domains to host malicious services for a while, then change domains and servers. However, there are clues in some of the downloaded malware.

One of the apps detected as AndroidOS_Souying.HRX connects to the site a specific URL to download more malware. The domain of this URL belongs to an app promotion company located in Hangzhou, China. This company is responsible for distributing apps to users via pornographic websites and apps.

Developers hire this company to distribute apps for them. They do not appear to have a meaningful selection process, and their own app includes fraudulent routines as described in the Fraudulent Porn Video section. In addition, thousands of malicious apps are still hosted on their websites that are also connected to the above app promotion company.

It’s not only users in China that are affected by this threat. Feedback from our users suggests that users in Taiwan and Japan are being affected as well. It is possible that Chinese-speaking users in these countries are also being affected by this threat. The heat map below shows the parts of the world where these kinds of apps are being detected within the past 30 days:

Figure 9. Heat map of targeted users

Users of Trend Micro Mobile Security can scan apps before they are installed. If possible, we also recommend that users refrain from downloading apps outside of official sources like the Google Play store. Potential victims may also need to perform factory resets on their devices to clean any threats that have set thsemselves up as a device administrator.

Hashes of the related files are as follows:

AndroidOS_Porner.OPS

• c2236c5c02da7efb502a372e46e7fc0d33673bfc

AndroidOS_Curious.HRX

• 4c0c74e4a240362e9ee603efab18e4f2266d4249

AndroidOS_Souying.HRX

• 573f44865809e3a1435a5438aa8d482b12186768

AndroidOS_LoveFraud.HRX

• 24b32b2a09eb3130584d8d0d35aa05e3952f2e8b

AndroidOS_Youai.HRX

• c77a21af5cfe7cd59797ee1eef4d712094264085

AndroidOS_DownAdmin.HRX

• 5e141f138f110db12c1d749ab2c984e5c86a46b5

AndroidOS_Liangou.HRX

• 0a2004080409d53f628794241a59e67880d6b2a7

AndroidOS_SMSSnow.HBT

• 085466c14e4dcf1690106352f0046bd2f6c1962f

AndroidOS_Durian.HRX

• fb0ff3f46ac73cf7c93e7cc2da00d6eeae3c36f2

AndroidOS_McsApp.HNT

• 563fe5c8b2cfc3b448d7c65d8fd5e24e45f9927b

AndroidOS_HHPlug.HRX

• 5adca9a5e44a216e123cd191ff42d25c4d87eee6

AndroidOS_UUAd.HRX

• 95a506cdbe887a86c1f35607ac69ae477d3417b0

Read more: Pornographic-themed Malware Hits Android Users in China, Taiwan, Japan