When i wrote "The worst of Windows "Police Locker" is also available on Android" I thought this was a "rare" threat and was not really likely to achieve its goal.
I was wrong.
It did not take long for "Porndroid" to become the first keyword for incoming traffic to this blog.
So I thought that "Porndroid" was maybe associated to legit pornography on Android...but no...so I understood that this ransomware was probably more spread than expected.
And indeed...I found a TDS that is pushing around 500k visitors a day to fake porn website designed for Mobile with fast rotating domains and path (to play the "PokeAMole" with defense and avoid replay)
TDS redirecting to Porndroid Ransomware
Traffic between 2014-19 and 24
This TDS is still live and kicking
Traffic is coming from ExoClick, EroAdvertising, Plugrush etc...so mostly badvert.
Since my last post an additionnal step was added :
Advices on how to install the PornDroid "Video Player" or
How to get SocEng and RansomedBut it seems that in the last move (this week) they switched to a Browlock style landing prompting repeatedly to install the downloaded "video player"
Piece of code of last version of the PornDroid LandingAlert now shown by the Landing
The ransomware is not grabbing the fake page via external call anymore. Content is embedded in the APK which explain why it's "meaty": 1Mo.
Permissions changed a little
+ Find Accounts on the Device
+ modify the contents of the SD card
- Read your Text message
- Read Bookmark and History
Identical to previous post
The explanation for "Administrator Rights" prompt has been tuned to:
XXX Video (PornDroid) prompting for Administrator Rights. Reason ?
"Set Storage Encryption"If you accept the malware is launched immediately.
Screen lock after click on any video is the same :
PornDroid - LockScreenSame "proof" of illegal activity :
etc.. (see this post for more screens of the ransomware itself)
Many server were/are acting as C&C for this mobile Ransomware.
Here are some :
apimapu.net ( 184.108.40.206 )
apimapq.net ( 220.127.116.11 )
Admin entrance is like :
Android LockOut System - Admin Login Page
Here is one panel :
PornDroid/LockOut System Panel - Main
And another one :
I won't add more "Main" Screenshots as those three are representatives.
The following screenshots comes from different panels, different times...don't try to "connect" them together.
Android LockOut System - Stats per day
Android LockOut System - All bots
4-5 infections per minute when takenAndroid LockOut System - All CodesOther valid Replies :
Moneypack RepliesCommandsGathered Accounts
Android LockOut System - Sent Command
Android LockOut System - Domains
Big figure :
Target : Mosly USCumulative number of infection in december : between 180k and 240k(why no-one is talking about that if it's "that" widespread ? It's about : Shame. If you see the "proof" tab you understand )
Average number of devices locked daily : 7kPercentage of people paying : between 0.4 and 1%Money : at least half a million $ in voucher in December (note: $ in voucher is not $ in pocket for operators)It seems server are changed every 30-40k infections.
Not all the data is shared here (missing: main actor Nickname, adverts,domains,screenshots). So feel free to contact me if you are a researcher or want to act on it. (do with pro email - no gmail/yahoo/mail.ru etc. accounts...)
Thanks to @Malwageddon for some translation hints.
4 samples in a Zip sent on VT
Read More :
The worst of Windows "Police Locker" is also available on Android 2014-10-28
For those who did not see it, Idan Revivo and Ofer Caspi from Checkpoint shared on GitHub "A Cuckoo Sandbox Extension for Android". Thanks !!
Porndroid in Cuckoo Sandbox extension for Android
(you can get better than what is shown here. basic install)