A new variant of the PornDroid mobile malware family waits four hours before executing its malicious functionality in order to fool AV software programs' dynamic analysis.
A new variant of the PornDroid mobile malware family waits four hours before executing its malicious functionality in order to fool AV software programs' dynamic analysis.

A newly discovered variant of the Android ransomware PornDroid eludes all antivirus programs by waiting four hours before executing its malicious activity as well as by employing heavy amounts of obfuscation.

Despite these clever innovations, PornDroid lacks one core piece of functionality – it does not actually unlock victims' screen after they pay up, according to Zscaler, whose researchers recently discovered the malware on certain compromised Russian mobile applications.

In a blog post published last Friday, Zscaler reported that the ransomware falsely warns victims in a full-screen message that their device's service has been suspended due to viewing or storing illegal pornographic images. In an attempt to extort a prompt payment, PornDroid claims that if the user does not pay a “fine” within 12 hours, it will send SMS messages to his or her mobile contacts, stating that the device owner's phone was blocked due to child pornography. However, this is an idle threat – the malware does not have this capability. (In the sample Zscaler provides in its blog post, the ransom note asks for 500 rubles.)

In yet another bluff, the malware asserts that any attempts to unlock the phone will result in a “complete blocking” of the device and a loss of stored information. Moreover, PornDroid threatens to publicly post the infected phone's information and label it as “pedophile data.”

The cybercriminals behind this ransomware operation are attempting to target a wide audience of Russian users by compromising legitimate apps such as the Russian entertainment and social networking app "OK." While apps sold on Google Play so far appear safe from this threat, apps compromised with this PornDroid variant have been found on untrustworthy third-party sites, Zscaler has reported.

“The malware author will usually target popular apps, especially the ones that do not leverage strong anti-tamper techniques” that check if an app has been tampered by a third party and stops it from working if modifications are detected,” said Deepen Desai, senior director of security research at Zscaler, in an email interview with SC Media.

According to Desai, PornDroid compromises apps in automated fashion, modifying the contents of the application packages to incorporate a latent ransomware component that commences activity only after a four-hour delay. In the meantime, the original functionality of the apps remain intact. This enables the ransomware to elude anti-virus software programs' dynamic analysis capabilities, which typically examine apps' behaviors for only a few seconds to a few minutes.

PornDroid also avoids AV detection by using highly obfuscated code. "Almost all strings, method names, variable names, and class names are disguised in such a way that it's extremely difficult to understand the code, the blog post has reported.

Once the time-delayed malicious activity begins, users receive a prompt requesting that they add a device administrator. Pressing the “Activate” button locks the screen and delivers the ransom note, while hitting the “Cancel” button causes the same prompt to reappear over and over, frustrating the user.

Fortunately for infected users, the malware can be successfully mitigated by booting an infected device into Safe Mode, which disables all third-party applications. Users must then remove the app's device administrator privilege, uninstall the app, and then reboot the device once more, back into normal mode.