Pornographic-themed Malware Hits Android Users in China, Taiwan, Japan

Sex sells, and nowhere is that more true than the Chinese mobile landscape. Porn-themed malware has been hitting Android users in China, Japan, and Taiwan in recent weeks.

These malicious apps are distributed via SEO-optimized fake websites, with keywords targeting hot scandals and affairs used. These sites pretend to be porn video websites, and all lead to various malicious apps being downloaded. The use of adult-themed content echoes the one-click billing fraud app we’ve covered a few years back.

We found three different malware families distributed via these sites, but they all have the same behavior: they are used to distribute more malicious apps onto user devices. These are continuously pushed to users via pop-up notices:

Figure 1. Malware pushed as fake system update

One malicious app detected as AndroidOS_Souying.HRX includes integrated exploit code which can target various unsecure kernel driver vulnerabilities (including CVE-2012-6422, CVE-2013-2595, and CVE-2014-2273) to gain root access. With root privileges, rogue apps can be silently installed.

Figure 2. Kernel exploits targeting vulnerable drivers

Soon, the device will be filled up with various rogue apps:

Figure 3. Multiple malicious apps added to a single device

Some of the apps distributed in this manner pose as pornographic videos, but are used for fraud.

Fraudulent Porn Video

Four families of the malicious apps we found pose as pornographic video players. If the user clicks on any of the videos, the device will send premium SMS messages that cost the user money. In addition to this, a visible payment interface is also present. If the user pays, the app will ask for more money. In addition to videos, pornographic literature is also distributed this way. We detect these apps as:

  • AndroidOS_DownAdmin.HRX
  • AndroidOS_Porner.OPS
  • AndroidOS_Souying.HRX
  • AndroidOS_Curious.HRX

Figure 4. Fake pornographic video player asking for approximately 3 USD

Fraudulent Social Dating

Alongside the above apps, fraudulent social dating apps are also present. These apps show “friendly” welcome messages that have been sent to the user by automated bots.

Figure 5. “Welcome” messages (including voice) from bots

If the victim believes these messages are “real” and wants to reply, the app will charge the user approximately 16 US dollars a month as payment.

We detected this malware as AndroidOS_LoveFraud.HRX. A large social dating website is behind this particular scheme. This site has a fairly simple registration process that doesn’t ask for a password, username, or address. This has allowed the company to get 190 million users; we believe that this count is inflated by this app.

Fraudulent Advertising

A rogue game we detect as AndroidOS_Liangou.HBT drops a fake download manager. This download manager registers itself as a Device Administrator to prevent users from removing it easily. (AndroidOS_DownAdmin.HRX mentioned earlier does this as well.) If the user tries to deactivate the malicious app, the malware will lock the screen.

Figure 6. Malicious apps activated as Device Administrator

Figure 7. Malware pushed by fake Download Manager

In addition to malware, fraudulent advertisements are pushed as well.

Figure 8. iPhone 6 sales scam

We detect apps pushed to users this way as:

  • AndroidOS_Durian.HBT
  • AndroidOS_HHPlug.HBT
  • AndroidOS_McsApp.HNT
  • AndroidOS_SMSSnow.HRX
  • AndroidOS_Youai.HBT
  • AndroidOS_UUAd.HRX

So who made these porn websites and apps?

The cybercriminals behind this attack use garbage words in their domains to host malicious services for a while, then change domains and servers. However, there are clues in some of the downloaded malware.

One of the apps detected as AndroidOS_Souying.HRX connects to the site a specific URL to download more malware. The domain of this URL belongs to an app promotion company located in Hangzhou, China. This company is responsible for distributing apps to users via pornographic websites and apps.

Developers hire this company to distribute apps for them. They do not appear to have a meaningful selection process, and their own app includes fraudulent routines as described in the Fraudulent Porn Video section. In addition, thousands of malicious apps are still hosted on their websites that are also connected to the above app promotion company.

It’s not only users in China that are affected by this threat. Feedback from our users suggests that users in Taiwan and Japan are being affected as well. It is possible that Chinese-speaking users in these countries are also being affected by this threat. The heat map below shows the parts of the world where these kinds of apps are being detected within the past 30 days:

Figure 9. Heat map of targeted users

Users of Trend Micro Mobile Security can scan apps before they are installed. If possible, we also recommend that users refrain from downloading apps outside of official sources like the Google Play store. Potential victims may also need to perform factory resets on their devices to clean any threats that have set thsemselves up as a device administrator.

Hashes of the related files are as follows:


  • c2236c5c02da7efb502a372e46e7fc0d33673bfc


  • 4c0c74e4a240362e9ee603efab18e4f2266d4249


  • 573f44865809e3a1435a5438aa8d482b12186768


  • 24b32b2a09eb3130584d8d0d35aa05e3952f2e8b


  • c77a21af5cfe7cd59797ee1eef4d712094264085


  • 5e141f138f110db12c1d749ab2c984e5c86a46b5


  • 0a2004080409d53f628794241a59e67880d6b2a7


  • 085466c14e4dcf1690106352f0046bd2f6c1962f


  • fb0ff3f46ac73cf7c93e7cc2da00d6eeae3c36f2


  • 563fe5c8b2cfc3b448d7c65d8fd5e24e45f9927b


  • 5adca9a5e44a216e123cd191ff42d25c4d87eee6


  • 95a506cdbe887a86c1f35607ac69ae477d3417b0

Read more: Pornographic-themed Malware Hits Android Users in China, Taiwan, Japan

Story added 26. October 2015, content source with full text you can find at link above.