According to Zscaler, whose research recently discovered a variant of the Android ransomware PornDroid, says the malware is evading detection by most AV software because it waits 4 hours before it executes its payload.

There is another nasty variant of the malware, it doesn't unlock your screen after you pay up.

In an effort to get the victim to pay up, it displays a full-screen message that the device's service has been suspended due to viewing or storing illegal pornographic images. It further warns that if the ransom is not paid within 12 hours, the victims contacts will be sent a message that your device has been suspended due to pornography on the device. (The malware is incapable of doing such.)

It further warns that if the ransom is not paid, the device will be completely blocked and there will be a loss of data. On top of that, it will post the devices information and label it “pedophile data.”

“The malware author will usually target popular apps, especially the ones that do not leverage strong anti-tamper techniques” that check if an app has been tampered by a third party and stops it from working if modifications are detected,” said Deepen Desai, senior director of security research at Zscaler.

After the four hour delay, the malware then goes to work and asks the victim to activate a device administrator. If the victim does so, the screen is locked and the ransom note is delivered. If the victim presses cancel, they are thrown into a never ending loop.

The malware can be removed by booting into safe mode, remove the app's device administrator privilege, uninstall the app, and then reboot the device once more, back into normal mode.

Source: SCMagazine