The app will push several full screen ads when users unlock their devices, including malicious ads (such as fraudulent content and pornography) that will pop up via the user’s browser. During our analysis, we found a paid online pornography player (detected as AndroidOS_PornPlayer.UHRXA) that was downloaded when clicking the pop up. Take note, however, that nothing will play, even after the user pays and executes the player.
None of these apps give any indication that they are the ones behind the ads, thus users might find it difficult to determine where they’re coming from. Some of these apps redirect to phishing websites that ask the user for personal information, such as addresses and phone numbers. For example, in the figure below, clicking the “OK” button in the middle screenshot will redirect the user to a new page, which will give the user three tries to win a prize. The third try will always allow the user to win, after which a form will appear asking the user for detailed information.