When i wrote "The worst of Windows "Police Locker" is also available on Android" I thought this was a "rare" threat and was not really likely to achieve its goal.
I was wrong.
It did not take long for "Porndroid" to become the first keyword for incoming traffic to this blog.
So I thought that "Porndroid" was maybe associated to legit pornography on Android...but no...so I understood that this ransomware was probably more spread than expected.
And indeed...I found a TDS that is pushing around 500k visitors a day to fake porn website designed for Mobile with fast rotating domains and path (to play the "PokeAMole" with defense and avoid replay)
TDS redirecting to Porndroid Ransomware Traffic between 2014-19 and 24 This TDS is still live and kicking |
Traffic is coming from ExoClick, EroAdvertising, Plugrush etc...so mostly badvert.
Since my last post an additionnal step was added :
Advices on how to install the PornDroid "Video Player" or How to get SocEng and Ransomed |
Piece of code of last version of the PornDroid Landing |
Alert now shown by the Landing |
The ransomware is not grabbing the fake page via external call anymore. Content is embedded in the APK which explain why it's "meaty": 1Mo.
Permissions changed a little
+ Find Accounts on the Device + modify the contents of the SD card - Read your Text message - Read Bookmark and History |
Identical to previous post |
The explanation for "Administrator Rights" prompt has been tuned to:
XXX Video (PornDroid) prompting for Administrator Rights. Reason ? "Set Storage Encryption" |
Screen lock after click on any video is the same :
PornDroid - LockScreen |
Many server were/are acting as C&C for this mobile Ransomware.
Here are some :
217.12.221.236
192.240.96.236
apimapu.net ( 64.187.225.228 )
apimapq.net ( 37.1.213.175 )
107.181.174.23
192.240.96.254
50.7.71.99
64.187.225.228
Admin entrance is like :
Android LockOut System - Admin Login Page |
Here is one panel :
PornDroid/LockOut System Panel - Main |
And another one :
One more
The following screenshots comes from different panels, different times...don't try to "connect" them together.
Android LockOut System - Stats per day |
Android LockOut System - All bots 4-5 infections per minute when taken |
Android LockOut System - All Codes |
Moneypack Replies |
Commands |
Gathered Accounts |
Android LockOut System - Sent Command |
Android LockOut System - Domains |
Big figure :
- Target : Mosly US
- Cumulative number of infection in december : between 180k and 240k
- Average number of devices locked daily : 7k
- Percentage of people paying : between 0.4 and 1%
- Money : at least half a million $ in voucher in December (note: $ in voucher is not $ in pocket for operators)
Not all the data is shared here (missing: main actor Nickname, adverts,domains,screenshots). So feel free to contact me if you are a researcher or want to act on it. (do with pro email - no gmail/yahoo/mail.ru etc. accounts...)
---
Thanks to @Malwageddon for some translation hints.
Files:
4 samples in a Zip sent on VT
Read More :
The worst of Windows "Police Locker" is also available on Android 2014-10-28
Extra:
For those who did not see it, Idan Revivo and Ofer Caspi from Checkpoint shared on GitHub "A Cuckoo Sandbox Extension for Android". Thanks !!
Porndroid in Cuckoo Sandbox extension for Android (you can get better than what is shown here. basic install) |