2015-01-10 - Panel

Inside Android LockOut System aka PornDroid

When i wrote "The worst of Windows "Police Locker" is also available on Android" I thought this was a "rare" threat and was not really likely to achieve its goal.

I was wrong.

It did not take long for "Porndroid" to become the first keyword for incoming traffic to this blog.
So I thought that "Porndroid" was maybe associated to legit pornography on Android...but no...so I understood that this ransomware was probably more spread than expected.

And indeed...I found a TDS that is pushing around 500k visitors a day to fake porn website designed for Mobile with fast rotating domains and path (to play the "PokeAMole" with defense and avoid replay)

TDS redirecting to Porndroid Ransomware
Traffic between 2014-19 and 24
This TDS is still live and kicking

Traffic is coming from ExoClick, EroAdvertising, Plugrush etc...so mostly badvert.

Since my last post an additionnal step was added :

Advices on how to install the PornDroid "Video Player" or
How to get SocEng and Ransomed

But it seems that in the last move (this week) they switched to a Browlock style landing prompting repeatedly to install the downloaded "video player"

Piece of code of last version of the PornDroid Landing

Alert now shown by the Landing

The ransomware is not grabbing the fake page via external call anymore. Content is embedded in the APK which explain why it's "meaty": 1Mo.

Permissions changed a little

+ Find Accounts on the Device
+ modify the contents of the SD card
- Read your Text message
- Read Bookmark and History

Identical to previous post

The explanation for "Administrator Rights" prompt has been tuned to:

XXX Video (PornDroid) prompting for Administrator Rights. Reason ?
"Set Storage Encryption"

If you accept the malware is launched immediately.

Screen lock after click on any video is the same :

PornDroid - LockScreen

Same "proof" of illegal activity :

etc.. (see this post for more screens of the ransomware itself)
Many server were/are acting as C&C for this mobile Ransomware.

Here are some :

217.12.221.236
192.240.96.236
apimapu.net ( 64.187.225.228 )
apimapq.net ( 37.1.213.175 )
107.181.174.23
192.240.96.254
50.7.71.99
64.187.225.228

Admin entrance is like :

Android LockOut System - Admin Login Page

Here is one panel :

PornDroid/LockOut System Panel - Main

And another one :

One more

I won't add more "Main" Screenshots as those three are representatives.

The following screenshots comes from different panels, different times...don't try to "connect" them together.

Android LockOut System - Stats per day

Android LockOut System - All bots
4-5 infections per minute when taken

Android LockOut System - All Codes

Other valid Replies :

Moneypack Replies

Commands

Gathered Accounts

Android LockOut System - Sent Command

Android LockOut System - Domains

Big figure :

Target : Mosly US

Cumulative number of infection in december : between 180k and 240k

(why no-one is talking about that if it's "that" widespread ? It's about : Shame. If you see the "proof" tab you understand )

Average number of devices locked daily : 7k

Percentage of people paying : between 0.4 and 1%

Money : at least half a million $ in voucher in December (note: $ in voucher is not $ in pocket for operators)

It seems server are changed every 30-40k infections.

Not all the data is shared here (missing: main actor Nickname, adverts,domains,screenshots). So feel free to contact me if you are a researcher or want to act on it. (do with pro email - no gmail/yahoo/mail.ru etc. accounts...)
---
Thanks to @Malwageddon for some translation hints.

Files:
4 samples in a Zip sent on VT

Read More :
The worst of Windows "Police Locker" is also available on Android 2014-10-28

Extra:
For those who did not see it, Idan Revivo and Ofer Caspi from Checkpoint shared on GitHub "A Cuckoo Sandbox Extension for Android". Thanks !!

Porndroid in Cuckoo Sandbox extension for Android
(you can get better than what is shown here. basic install)