Zscaler researchers spotted attackers using porn to lure victims into downloading the Android Marcher trojan.
The attackers send porn-themed links to victims via email or SMS that, once visited, prompt users to download the trojan disguised as an Adobe Flash Player update, according to a Mar. 10 blog post.
Researchers said they captured over 50 unique payloads from this campaign serving a fake adobe flash player for watching porn.
The goal of the malware is to steal the user's financial information from a phishing page designed to mimic the Google Play store payment page that supposedly needs to be filled out before a victim can access the “content,” researchers said.
“Newer variants of the Android marcher will also present a fake online banking login page based on information collected about already installed banking apps on victim's device,” the post said.
Zscaler Head of Security Research Deepen Desai told eWEEK the fake payment pages tell victims "you will not be charged unless you make a purchase."
On some occasions, researchers also witnessed the malware instructing victims to download the X-VIDEO app from the official Google Play store although the app has reportedly been verified as safe.
"We did not see anything malicious in X-VIDEO, and this was also confirmed by Google's Android team," Desai said. "However, this may be a tactic to further convince the user into entering the payment information on the fake Google Play payment page to complete the account setup and download this porn app."
In order to avoid the scam, researchers said users should download apps only from trusted app stores and recommend users uncheck the "Unknown Sources" option under the "Security" settings of your device.”
