Another day, another piece of porn malware. This time the culprit is Koler (again), and the target is U.S. Pornhub viewers who use Android-based mobile devices.

The ransomware masquerades as a Pornhub mobile app that, once installed, grants itself root privileges, locks the user’s device and displays a message claiming the Federal Bureau of Investigation has detected illegal pornography. The message informs the user he must pay a “fine” of $500 in order to regain control of his device.

Neither the scheme nor the malware is new. Koler made the leap to Android in April 2014 after kicking up a fuss in the Windows OS sphere as part of the Reveton screen-locking ransomware campaign. On Android mobile devices, a pop-up spawned by Koler claimed “police” had locked the user’s phone. The ransom was a mere $100 to $300; infection occurred when victims visited one of 48 pornography websites operated by a Russian hacker ring. The mobile component of the campaign ended in July 2014 when the command-and-control server sent uninstall commands to victims.

The current threat, discovered by ESET security researcher Lukas Stefanko, spreads via ads for the fake app placed on adult websites bearing URLs that incorporate the phrases “greatgirlvideoprivate,” “tubegirlsnight,” “freenightbeautifulgirls” or “verygoodgirl.” All bear the domain extension .site or .us. During installation, the malware “clickjacks” the user’s tap on the continue button and grants itself admin privileges.

This ransomware campaign bears an amusing, if semi-fiendish, twist: The popup screen warns the user that information about his location and snapshots of his face (presumably taken by the device’s onboard camera) have been uploaded to the FBIs cybercrime datacenter.

Users can regain control of compromised phones by booting the device in Safe Mode, removing Koler’s user from the admin group and then uninstalling the fake Pornhub app.

Image © Vladimir Mucibabic