The security firm claims that the app named "Adult Player" clicks an image of the user secretly from the front-camera of the device and starts displaying it on the ransomware screen along with a message demanding $500 (approximately Rs. 33,250). The malware reportedly locks the device and only unlocks when it receives the ransom from the user. The firm explains that many users download such apps considering them video players for pornography content.
Zscaler details that on opening the app for the first time, it asks for admin rights from users. On getting the permission, it asks users to "Activate" the app, which the researcher claims is a fake update page.
"The malware then loads another APK named test.apk from its local storage using a technique referred to as a reflection attack. Reflection is the ability of a program to examine and modify the behaviour of an object at run time, instead of compile time. The ransomware checks whether front camera is available or not. If available, it clicks photo of the victim while he/she is using the app and displays the image on ransom page," notes Zscaler.
It's worth noting that the Adult Player app is not available via Google Play and is only available via third-party stores and needs to be side-loaded.
"The ransom screen is designed to stay persistent even at reboot. It does not allow the user to operate the device and keeps the screen active with ransom message," writes security firm.
It adds that there is no way ransomware can be deleted from device's Settings as the malware is designed to stay "stagnant on screen" and does not allow uninstallation.
Zscaler suggests some ways to get rid of such ransomware, including booting the device into safe mode after which users should first remove administrator privilege. Once done, users can uninstall the app via Apps in Settings. To avoid such ransomware, the security firm suggests users download apps only from trusted app stores.