2014-08-06 - Landscape

A ScarePakage variant is targeting more countries : impersonating Europol and AFP

(image from GadgetMaxim.com

On July 16th Lookout wrote about a new "police ransomware" on Android. They named it ScarePakage. (aliases : Eset:Android/Locker.B , Kaspersky:Trojan-Ransom.AndroidOS.Aples.a)

It (or a variant ? seems Norton focused here) is advertised on underground since beginning of July as "Android Locker" by the seller of a fork of Titan Browlock System.

ScarePakage advertised as "Android Locker" on underground - 2014-07-06
Original text of the advert :
Android Locker, андройд локер

Из функционала:
- эмитация сканера нелегального контента (Hello Nortan!)
- "жесткая" установка, невозможно удалить приложение даже через безоп. режим
- блокирует любые действия/приложения/активность юзера
- шифрование/дешифрование файлов на флешке, если она имеется в устройстве
- "прослушивание" всех доступных сигналов на устройстве, перехват и старт приложения по каждому из них
- попытка "убить" любой процесс при старте
- работает после ребута
- есть возможность разблокировки либо постоянной блокировки девайса после ввода ваучера
- удобная админ панель
- web лендинг в комплекте

Основная цель - получение Moneypak чеков, софт заточен под US андройд трафик,
под другие страны приложение не адаптировано.


Важно: я не не криптую апк файлы и сорцы не продаю.
Я в праве отказать в продаже без объяснения причины.
Ребилд на другой домен бесплатный, если ваш прежний домен спалился.
Приложение апк не даю на тест (точнее даю, но не всем подряд) - полно любителей энтузиастов.
Оплата строго через гарант или предоплата.

Цена 2000$ без торга
После покупки вы получаете web лендинг и апк файл.
Вам останется

только запустить траф и ждать чеки.

[email protected] - OTR 

Translated by Google as :
Android Locker, андройд локер

We developed our own product androyd locker. 

Of the functional: 
- Emitatsii scanner illegal content (Hello Nortan!) 
- "Hard" setting, you can not remove the application even after bezop. mode 
- Blocks any action / application / user activity 
- Encryption / decryption of files on a flash drive, if available in your device 
- "Listening" all available signals on a device to intercept and start the application on each of them 
- An attempt to "kill" any process at startup 
- Working after reboot 
- Have the ability to unlock or lock devaysa constant after entering the voucher 
- Comfortable admin panel 
- Web Landing complete 

The main goal - getting Moneypak checks, soft ground under US androyd traffic 
for other countries the application is not adapted. 


user posted image 
user posted image 

Important: I do not not crypto apk file and sortsy not sell. 
I'm right to refuse sale without explanation. 
Rebuild to another domain for free, if your old domain bedrooms. 
Appendix ank not give a test (or rather to give, but not all in a row) - fully lovers enthusiasts. 
Payment is strictly through a guarantee or prepayment. 

Price $ 2000 without bargaining 
After purchase you get web Landing and apk file. 
You just need to run and wait for traf checks. 

[email protected] - OTR

Later Updates : Seller provided some numbers :
Умеете добывать андройд трафик?
Приглашаю несколько человек посотрудничать с нашим софтом.
Конверт жгет.

Примерные показатили конверта:

Download apk: 89690
Launch apk: 1379
All vouchers: 76
Valid vouchers: 54


Принимает от 50к трафика в сутки.

Able to produce androyd traffic? 
Invite several people to collaborate with our software. 
Zhget envelope. 

Exemplary indicators envelope: 

Download apk: 89690 
Launch apk: 1379 
All vouchers: 76 
Valid vouchers: 54 

~ $ 9k 

Receives from 50k daily traffic.

And on the 16th he wrote about new countries targeted.

knstant announcing DE, ES, FR and AU design were now available

I spotted a "badvert" yesterday on Spankwire (big (alexa 500 US, 800 worldwide) porn site) that was redirecting to a Browlock hidden behind cloudflare (after a jump on a keitaro TDS on

The Browlock was showing the exact same design than the one featured in that post : Titan Browlock System so also advertised by konstant.

Landing on this badvert with android from at least FR, ES and DE would prompt you with a virus alert (hidden behind cloudflare)

Popup alert you could get while browsing Spankwire
with an Android Powered device && Chrome Browser from France
Then a file named Norton_Internet_Security.apk is downloaded.

Launching it :

Impersonates Norton Internet Security

On launch : fake Scan
After fake Scan trying to get "Administrator of the device" rights
(US version)
I spotted 5 different APK on the server (which perfectly match what we saw in the advert):
AU - d6c6bc0dc803f7891b9db745c24de541
DE - 06c7a02d49b97930fb9c696cde1350d1
ES - d21e1c0f992ed70c6881c1f31c7a555a
FR - e13523d97e2390ca4529abf06ebe01ee
US - 28726f772f6b4b63fb40696a28afafc9

One country one apk...the coder should really take a look at : "Localizing with Resources"

ScarePakage - DE - 2014-08-05

ScarePakage - FR - 2014-08-05

ScarePakage - ES - 2014-08-05

ScarePakage - AU - 2014-08-05
ScarePakage - US - 2014-08-05

The locking feature is working far better than in Koler.


(cloudflared ... )
Sharing Infra with the Titan Browlock.

Files : ScarePakage_2014-08-06.zip (5 apk)

Read More:
ScarePakage – Fake FBI RansomLocker - 2014-07-24 - Darien Huss - Emerging Threats
U.S. targeted by coercive mobile ransomware impersonating the FBI - 2014-07-16 -  Meghan Kelly  - Lookout