Slashdot Mirror
Porn-themed Android Ransomware Takes Your Picture Before Asking For Money
An anonymous reader writes with a link to The Stack's report that researchers at security firm zScaler have spotted a clever new variety of Android-based ransomware, which takes advantage of phones' built-in cameras to add a personal touch; it activates the camera to take a snapshot of the user, which is then incorporated into its blackmail note. "The crudely-planned app features an extraordinarily demanding privacy/functionality swap at install, and proceeds to demand a $500 'FBI fine' via PayPal, rather than any of the cryptocurrencies which most ransomware authors currently favour."
They'd send me money and tell me to go see a plastic surgeon.
Unless, you have some unusual moles or tattoos down there.
That way, when the ransomeware comes in you can say "That little thing isn't my junk!"
Mimetics Inc. Twitter
It includes so many clever hacks and malware, it's really interesting to watch from the bleachers what goes on on this swiss-cheese platform.
You sure this is android?
Take a photo of everyone for consuming porn. Declare everyone a pervert for being sexual.
When we accept openly that everyone likes sex, we get rid of the stigma, and disarm those who would use our nature against us.
A Paypal account? Paypal locks your account if you so much as blink too fast or too slow. They're never going to see the money. Plus, what is their plan for getting the money out? Having Paypal mail them a check?
I read the internet for the articles.
I'm not sure I get this. Who's walking around with a phone that they're not prepared to wipe at a moment's notice anyway?
Everyone else on the planet.
Faster! Faster! Faster would be better!
It's probably just a matter of time, perhaps not much time, before some entrepreneurs figure out that is a generally-useful marketing tactic. We can expect that the little "selfie" cameras on phones and tablets are being turned on briefly by assorted ads delivered along with the web page you looked at, and sent back to the mother ship for later use. You won't have to go through the bother of signing in or otherwise identifying yourself, since your ISP/cell company can supply them with that info (for a price). They can then use the photo and your info to persuade you that you should buy some of their products. Or they can just fake the session in which you ordered what they want to sell you.
I generally keep a bit of opaque tape over those cameras except when I actually want to use them.
Lessee, I took the tape off this laptop's camera; let's see if the slashcode knows how to send y'all my photo. It's a Macbook Pro, which should tell you which exploit to use. I'm currently sitting on the patio, in the shade of a grape vine, waiting for the temperature to reach a new historic high here in the Boston area. If you can find my photo, tell me the text on my t-shirt. If anyone succeeds, it'll show that this story isn't just someone's imagination. ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
The VAST majority of smartphone users.
i was clearly sneezing
Perhaps parents whose recent photos of their child haven't yet been backed up? Someone who simply doesn't want to go through the hassle? Can we assume that quite a majority of users don't use their devices in the most perfectly organized manner possible?
"You should always be prepared to wipe" is not an excuse for the poor security that comes standard on many phones. I see tons of complaints here about how crappy the Apple and Microsoft walled-gardens are. Which I agree with. But instead of the same comments lambasting that approach, I'd like to see insightful conversations focusing on securing Android and making the iOS/Windows approaches more flexible.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
Would it matter if that picture was being passed onto a server somewhere where someone could post it publicly and show that you were a dirty bird looking at something you'd rather not have your peers know you're looking at?
I'm not sure I get this. Who's walking around with a phone that they're not prepared to wipe at a moment's notice anyway?
I'm sure you're living quite the lifestyle there Mr. Bond, but the rest of society doesn't usually walk around prepared to instantly wipe their damn life from their electronica at a "moment's notice" like you obviously do.
On top of that, let's talk about the technology that everyone would rely upon if they were actually ready and willing to instantly wipe their devices, as if we've not proven time and time again that the infamous "cloud" is about as secure as a wet paper sack...
Why would I care if they had my picture, what exactly does that prove or how does it harm me?
Personally, ransomware authors should be hunted down and shot, but I think having my picture and claiming that it came from some porn app is a pretty weak threat.
Just cruising through this digital world at 33 1/3 rpm...
Would it matter if that picture was being passed onto a server somewhere where someone could post it publicly and show that you were a dirty bird looking at something you'd rather not have your peers know you're looking at?
It wouldn't matter to me, but some prudes or hypocrites might get all pissy about it.
Just cruising through this digital world at 33 1/3 rpm...
What are you doing that you even have to think about wiping your phone?lol And no, i haven't a clue how to wipe my phone. For what reason/reasons would i need too?
Jack of all trades,master of none
Working a a sysadmin means ive been saddled with a corporate phone account for about 200 road warriors and marketing drones. Ive had people come to me asking to reset their phones for vague or meaningless reasons, only to find this crap installed. Aside from the utterly purile grasp the authors present of the various branches of US justice/law enforcement, the cameraphone picture is usually worth a quick chuckle. I keep a folder of mugshots as a trophy for removing this garbage app.
a quick call to the android SDK adb command is much faster than mashing volume buttons to get into the boot loader.
Good people go to bed earlier.
Good point. I wipe my phone after every porn viewing session. I learned that lesson the hard way. It ain't no fun getting an earful of goo.
problem solved.
Why doesn't it instead show you porn (as advertised) send the details of what you like and looked at to a remote server, along with the pic of you it snapped and your name, plus, say, the top 10 email contacts you have.
Then it can pop up a message saying xyz website will be emailing your porn preferences and your pic, plus how often you look at it and maybe even some of the pix to those email contacts. A lot of guys have wives that would pass out if they found out their guy looked at porn, not to mention bosses that would probably fire them. Being that it's external (and you can go and check it yourself), no way to just format the phone and start fresh. Pay up or get screwed.
Well, luckily I'm a good guy. :)
Perhaps it's time to have hardware covers on phone cams and perhaps a red "open" light and notice beep. Whether they are manual or auto-open is an issue to consider.
Table-ized A.I.
Exactly. Most of us carry burner phones that we can just toss in the trash at a moment's notice like Raymond Reddington.
You are welcome on my lawn.
What he meant to say was wipe with your phone. It's not particularly comfortable but it saves a bundle on Charmin Ultra Soft.
You are welcome on my lawn.
What are you doing that you even have to think about wiping your phone?lol And no, i haven't a clue how to wipe my phone. For what reason/reasons would i need too?
Knowing how to wipe it, and being willing to have it wiped are completely separate issues.
If you lost your phone or it fell into a sink or caught fire what would you lose? Me, I'd lose some photos, I'd be annoyed at the data loss. (And more annoyed at needing a new phone.) But the data loss wouldn't bother me, and I wouldn't pay $10 to a ransom to get it back, nevermind $500.
The question is who has $500 worth of irreplaceable stuff on their phone?
My ransomware app just randomly posts a message "I know what you've been doing!" with a mention of my paypal account.
You have to deliberately grant an app access to the camera at install time. It's nice to have fine-grained access controls. For example, Evernote wants access to my microphone but since that's a future I never use, it gets denied.
>> What are you doing that you even have to think about wiping your phone?
Working for a corporation. What did you think that app they asked to install on your phone (for BYOD) does?
>> And no, i haven't a clue how to wipe my phone.
Your IT department might.
Yeah, sure, the porn movie wanted to use my phone book, camera, text message system, install programs, modify programs, kill my firstborn and hotwire my car. But ... but PORN!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It does advance the concept of the paperless office, though.
The photo thing here is an interesting twist here.
But this attack vector seems to require the end-user to authorize things a number of times along the way. As stated in the article the real problem/danger is folk willy-nilly installing apps from heaven knows who.
I wonder if/when these things will simply never unlock the device. Just keep asking for more money. Or unlock it lock it again for no reason randomly in the future.
We seem to have reached a strange point with communications technology. We're barraged by blatant fraud from all sides. Nuisance and scam calls on the phones. Nonsense via SMS. Tons of spam to the email. Junk-mail and endless scams via snail-mail. Now fraudulent "we're the FEDS/IRS" via these goofy apps or websites.
We're being trained to trust nothing.
From the featuerd article: "To avoid being victim of such ransomware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device."
How does the plural work in "trusted app stores"? Since when has Android allowed the user to specify which other repositories are worthy of trust? I thought "Unknown sources" was just a binary choice between Google only and everything, as opposed to the ability to create a middle ground of trusting Google, Amazon, F-Droid, and no other sources.
Read about this app last night, and this morning I encountered an ad trying to play off of this scheme... I just closed the tab and moved on - but the fact that porn ads are starting to copy this concept is kind of scary - people may pay out of fear when they could have just closed the tab (like I did).
Dude lol i am a normal everyday guy i don't work for any corporation or IT department.
Jack of all trades,master of none
Oh come on ... that question is so naive, simple, or stupid as to defy belief.
The percentage of tech-savvy, leery, paranoid people who distrust their phone and haven't built their lives around it is vanishingly small.
Everyone else doesn't know, doesn't care, and as long as they have shiny baubles and new games to play ... doesn't give a shit about this stuff.
If you "don't get this" it's because you've allowed yourself to live in a bubble in which you actually believe people are tech savvy, knowledgeable, and actually give a damn.
And that level of willful ignorance defies belief, because you'd have had to avoid so much reality from the last decade as to not be credible.
We see this shit every day, and screech about it and add more layers of tinfoil. But not knowing the rest of the planet is oblivious means you haven't even tried to pay attention.
I'm betting the percentage of people ready to wipe their phone on short notice is less than 1 in 50. Possibly less than 1 in 100.
Lost at C:>. Found at C.
Who thinks they they need a special app to view porn videos? VLC, or the built-in video player will work just fine.
I,m just an adv guy, i have zero on my phone except phone numbers. Every image Ive ever taken i uploaded to my PC and got printed out If i want to save them.
Jack of all trades,master of none
i am a normal everyday guy i don't work for any corporation
Most of people do. It's called "having a job"
"The crudely-planned app features an extraordinarily demanding privacy/functionality swap at install, and proceeds to demand a $500 'FBI fine' via PayPal, rather than any of the cryptocurrencies which most ransomware authors currently favour."
If only more people were in the habit of reading EULAs before using an app, this kind of thing wouldn't be so prevalent.
- First they ignore you, then they laugh at you, then ???, then profit.
The VAST majority of smartphone users.
Exactly. They are smartphone users not smart phone users.
I wiped my iPhone once (OS update didn't go according to plan). I restored to the last backup (previous night). It worked, everything synced and life went back to normal in an hour.
However - if my previous backup had had the bad-actor already on it I'm not sure this plan would have worked. One might need a Restore from Day X feature.
I had other concerns such as - were my photos safe? Most content is pull (podcasts, movies, music) and I'm not worried about that - download again. Content created on my device is what I'm never sure will be restored. If you asked Andriod/iPhone users "Will your data be restored after a wipe?" I'm sure you'd get several answers - all due to confusion over the feature. iPhone for instance requires you to sync with a Mac/PC in order to (safely) delete them from phone storage (which I do, like, twice a year). Sure they are "in the cloud" - but that ain't considered the same thing.
But I will say - restoring my phone & tablet was much easier than say - restoring my PC.
In theory, it is a good thing to have that ability, so if someone loses their phone in an outhouse or it gets grabbed, it can be erased.
With iOS, iCloud backups combined with one's cloud provider of choice to back up photos/movies in real time helps here.
With Android, it is a bit harder. Google's restore mechanism is laughable, so to restore data, the best thing is to have a cloud provider for photos/movies, and use a backup utility like Titanium Backup which not just can back up apps... but actually encrypt them [1] and send the encrypted backups to the cloud provider of choice. Using utilities like nandroid also help.
For most people, losing a phone sucks, but it is far easier to back up a phone than it is a computer.
As for malware, it does require root, but xPrivacy and some type of app that is an iptables wrapper are musts. This way, if an app doesn't need to phone home, it can't, and even if it got permission to use the camera from initial install, xPrivacy will prompt the user (or just fetch the app's entry from a DB and auto-deny access) and let the user decide if the app requires access to cameras, phone contacts or both.
In any case, this app is just the first salvo with ransomware. Future ransomware versions will exploit Androids all or nothing permission model [2] and start sending pictures at random to contacts, slurping up contacts, grabbing or overwriting the SD card, impersonating a user via E-mail accounts, and other nastiness.
[1]: Titanium Backup actually has a pretty well thought out encryption mechanism. Each file is encrypted via a public/private key keypair, but the private key is stored with the file, and decrypted with the passphrase. This way, backups can be done and encrypted with the public key, while a restore requires the passphrase.
[2]: The selective permission model in the next Android rev only applies to app developers who allow it in the manifest, which most likely won't.
In that case you wouldn't worry about wiping your phone either. So you went out of your way to miss the point.
I never thought I'd see that on Slashdot... cough cough.
Where can I download this app?
How do they get a picture of you and what you are looking at together? If it is a mash up, couldn't they just mash up your face (pic they took) with some disgusting porn pic anyway?
I don't get it.
sigs are for losers (except to point out that sigs are for losers)
Is it clever or crudely planned? The article suggests it's both.
The most interesting thing in the summary is that they're using PayPal over Bitcoin (or other cryptocurrencies). Is this because they're clueless noobs who can't be bothered to figure out how to use Bitcoin? Is it because PayPal is so terrible at stopping accounts engaged in this kind of abuse that they can still make a shitload of money before they're blocked? Is it because they've found Bitcoin is not useful or flexible enough?! So many questions!
Yup. Some people delegate their smarts to their phones.
Only about 1 person in 50 is smart enough to be worth caring about anyway, so I'd say things are properly aligned, in this case.
I asked several of my geek friends, and they all said that they could wipe their phone and be fine. Some of them wipe their phone every few months just for good measure.
Of course, they are all geeks, and may all be in your "1 in 50". But I suspect that the number of people who don't have such a reckless investment in their phones might be higher than you think.
Installing an app asking for every permission under the sun / admin rights to watch porn is a terrible idea. I wouldn't be surprised if the app itself came from a dodgy warez site. Though I've also seen sites where a dodgy banner ad immediately starts pushing an apk - literally visit the site from a phone and next thing you know an apk is downloading. It's a terrible security flaw in browsers that they don't stop this.
Wiping the phone does you no good because they already have your picture--the phone sent it to them.
Like they couldn't just take another picture in 99% of cases. Is they photo of your child doing something funny important enough that you will fund criminals to get it back?
If it is you whole set of pictures over the past 6 months that would be different, but in that case they should be backing it up.
You never know when you might drop your phone in a toilet or it might get stolen, so there is no excuse for not backing up regularly.
Google, Apple, and Microsoft all push hard for you to use their cloud services, automatically uploading your data to their servers.. Someone non-technical is likely to just go for the default options, which amounts to handing all your data over to $phone_vendor.
My parents fairly regularly have to reflash their iPhones due to upgrade problems. My wife has lost her phone more than once and needed a replacement; she generally distrusts technology, so she doesn't rely on her phone much anyhow. Her contacts are backed up online, and that's about the only thing she cares about. Maybe none of them are at the "at a moment's notice" level, but they're all certainly at the "screw paying $500" level, and none of them are far from average in terms of technical ability.
It is pitch black. You are likely to be eaten by a grue.
Isn't the picture just window dressing, though? The ransom is to unlock your phone, not delete your picture. (The FBI warning is obviously fake.)
I think "wipe and reinstall" on iOS is no problem, because that's what it does when I get a new iPhone: during setup it logs into your iCloud/iTunes/etc and replicates everything from your old phone onto your new phone (except passwords). I'd expect wipe and reinstall to do the exact same thing. Android, I don't know.
They will learn the first time that they drop their device and it breaks. Or they lose it.
People who say things like this always think they're that 1 in 50, or whatever number they pulled out of their ass.
They're always wrong.
The bulk of employment in the world is provided by small- or medium-sized businesses and the self-employed.
> (Score:2, Informative)
Alright guys. Society's hygiene standards are varied and mostly superfluous; I'm not here to tell you to shower every twelve hours. But there is a line, it's called "sanitary", whereafter actual consequences follow.
I don't mind most stereotypes and stigmas, but much like disease control I want everyone to keep an eye on that breakpoint.
So anyway, depending on your use, you might want to check the phone before you start.
Get a BlackBerry. Then you can laugh at all the rubes with iPhones and Androids going through this stuff. Because Blackberries don't get hacked.