Hackers Use Rogue Pornhub Apps to Seduce Victims into Installing Ransomware


2016 was a bad place to be in terms of cybersecurity, and the year continues to haunt security researchers while providing them troves of information on hackers and their attack mechanisms. In a detailed overview of the growing threat of Android ransomware, security researchers at ESET have revealed how hackers cleverly use Pornhub as a vector to distribute Android ransomware to those looking for some not-so-clean apps from the adult entertainment website.

Pornhub apps used to spread ransomware

According to ESET, the number of Android ransomware detections has grown in year on year comparisons by more than 50%, with the largest spike in the first half of 2016. This growing use of Android ransomware can be attributed to evolving techniques and distribution mechanisms that are being used by attackers.

Fake COVID-19 Tracking App Found to Infect Android Phones With Ransomware

Researchers have discovered that hackers have been using fake Pornhub apps to lock user devices and hold them hostage. The new campaign seduces unsuspecting visitors with ransomware that is hidden in rogue Pornhub apps.

"Fake copies of legitimate antivirus programs used to be the domain of rogue AVs on Windows. Curiously, the malware, detected by ESET as Android/FakeAV.E also abuses another well-known brand: it spreads by pretending to be a mobile app for the adult video website Pornhub," researchers wrote in a whitepaper [PDF].

The reason why many users fall for these fake Pornhub apps is because Google bans X-rated software from its official store. This makes the job easier for attackers. Pornhub already has an official app for Android, but it's not hosted on the Play Store. Those interested in the app have to go for untrusted sources, making it difficult for victims to know if they're downloading a fake app or a legitimate one. Google might have to reconsider blocking legitimate apps from adult entertainment sites or risk more users falling prey to these fake apps.

Back to the ransomware... More than a heartbreak

Once the rogue app is downloaded and launched, "instead of showing pornographic videos, it shows the user a message that says the device must first be "checked for viruses". After clicking OK, the fake AV, which is made to look like Avast, runs its scam scan."

The narrative in this fraud is rather odd. First, the message shown by the fake Avast GUI states that the “device is in danger and is now blocked for security reasons” and that a Pro version must be bought.

While a legitimate antivirus would obviously not render a device unusable, that text is more-or-less corresponds to rogue AV behavior.

The screen then demands a 100 USD fine to avoid legal consequences and locks the device.

Fortnite: Dominating the World of Porn and Gaming

"Target-wise, Android ransomware operators have been shifting their focus from Eastern European to US mobile users," ESET said. "However, last year also demonstrated an increased activity on the Asian market."

ESET has published guidelines on how to steer clear from this ransomware and remove it if your device has been infected. The firm has advised to boot up your device into Safe Mode, which blocks any third-party apps. This will enable you to revoke Device Administrator privileges and delete the app to get rid of malware. More details and tips to stay safe can be found in this whitepaper.