Sad Danbo
Author: Erik mit k 


One year ago, I blogged about a nasty evolution of Kovter using sick method to ensure people are shocked and  in doubt enough to pay ransom.

A week ago doing some Android browsing to check how would react some "Desktop world" badness on mobile I've been pushed a pseudo Porn application

Usual referer for some Reveton Angler EK Thread tested on Android
pushes an APK after plugrush mobile badvert


So without user interaction nothing will happen. Just a dirty apk on your phone.
Now if you decide to install what pretends to be Porndroid :

Note the "Read your Web bookmarks and History"
and some unknown to me  till now Permissions :
"Reorder Running Apps", "Draw Over Other apps"
Then if you launch it you are asked to grant it "Device Administrator" Rights

Fake "PornDroid" trying to convince you that it needs "Device Administrator"

If you activate it here is what will be shown in the Settings :

"These privileges are needed to protect your device from
attackers, and will prevent Android OS from heing destroyed.
In background a webpage containing Child Pornography  is shown.

All images are linked to Videos that are indeed on the Server.
Captured Traffic between Launch and Lock
Then the phone is locked.

500$

You can expand each Block and get details
Usual Money Pack payment system
Can take photos
Image that have been pushed to the user are now
shown as "evidences". Browsing History available here too


This screen for the upper part
4 CP/Zoo images are presented as evidences
I was wondering if the images were taken from the cache or something but they are in fact downloaded encrypted with the Design in the first 400ko call (so even before the website is displayed).




What's missing ? oh yes...Prism.

I didn't analyse the APK deeply but the first http post is really big.
I wouldn't be surprised if Contacts/Browsing History etc were pushed to the C&C.

From what i saw this is Focused on USA.
Launching the APK from another country, you get the sick webpage, call to C&C but no lock.
Browsing the same referer from France and Great-Britain at that time i landed on some fake (?) antivirus stuff like :



Files: Nothing. But here is a md5 : be4ad7e9140646a31099780c62a34bca from when i discovered it. And a fresher one  :  c03e2d5712cb5d738f06bfd79b9be12a
It seems the main name coming is Koler...but i wouldn't say it's the same team behind this and the Koler featured here before and in last AdaptiveMobile post . 




0

Add a comment

Loading