Sad Danbo Author: Erik mit k |
One year ago, I blogged about a nasty evolution of Kovter using sick method to ensure people are shocked and in doubt enough to pay ransom.
A week ago doing some Android browsing to check how would react some "Desktop world" badness on mobile I've been pushed a pseudo Porn application
Usual referer for some Reveton Angler EK Thread tested on Android pushes an APK after plugrush mobile badvert |
So without user interaction nothing will happen. Just a dirty apk on your phone.
Now if you decide to install what pretends to be Porndroid :
Note the "Read your Web bookmarks and History" and some unknown to me till now Permissions : "Reorder Running Apps", "Draw Over Other apps" |
Fake "PornDroid" trying to convince you that it needs "Device Administrator" |
If you activate it here is what will be shown in the Settings :
"These privileges are needed to protect your device from attackers, and will prevent Android OS from heing destroyed. |
In background a webpage containing Child Pornography is shown.
All images are linked to Videos that are indeed on the Server. |
Captured Traffic between Launch and Lock |
Then the phone is locked.
500$ |
You can expand each Block and get details |
Usual Money Pack payment system |
Can take photos |
Image that have been pushed to the user are now shown as "evidences". Browsing History available here too |
This screen for the upper part 4 CP/Zoo images are presented as evidences |
I was wondering if the images were taken from the cache or something but they are in fact downloaded encrypted with the Design in the first 400ko call (so even before the website is displayed).
What's missing ? oh yes...Prism. |
I didn't analyse the APK deeply but the first http post is really big.
I wouldn't be surprised if Contacts/Browsing History etc were pushed to the C&C.
From what i saw this is Focused on USA.
Launching the APK from another country, you get the sick webpage, call to C&C but no lock.
Browsing the same referer from France and Great-Britain at that time i landed on some fake (?) antivirus stuff like :
Files: Nothing. But here is a md5 : be4ad7e9140646a31099780c62a34bca from when i discovered it. And a fresher one : c03e2d5712cb5d738f06bfd79b9be12a
From what i saw this is Focused on USA.
Launching the APK from another country, you get the sick webpage, call to C&C but no lock.
Browsing the same referer from France and Great-Britain at that time i landed on some fake (?) antivirus stuff like :
Files: Nothing. But here is a md5 : be4ad7e9140646a31099780c62a34bca from when i discovered it. And a fresher one : c03e2d5712cb5d738f06bfd79b9be12a
It seems the main name coming is Koler...but i wouldn't say it's the same team behind this and the Koler featured here before and in last AdaptiveMobile post .