When i wrote "The worst of Windows "Police Locker" is also available on Android" I thought this was a "rare" threat and was not really likely to achieve its goal.
I was wrong.
It did not take long for "Porndroid" to become the first keyword for incoming traffic to this blog.
So I thought that "Porndroid" was maybe associated to legit pornography on Android...but no...so I understood that this ransomware was probably more spread than expected.
And indeed...I found a TDS that is pushing around 500k visitors a day to fake porn website designed for Mobile with fast rotating domains and path (to play the "PokeAMole" with defense and avoid replay)
|TDS redirecting to Porndroid Ransomware|
Traffic between 2014-19 and 24
This TDS is still live and kicking
Traffic is coming from ExoClick, EroAdvertising, Plugrush etc...so mostly badvert.
Since my last post an additionnal step was added :
|Advices on how to install the PornDroid "Video Player" or|
How to get SocEng and Ransomed
|Piece of code of last version of the PornDroid Landing|
|Alert now shown by the Landing|
The ransomware is not grabbing the fake page via external call anymore. Content is embedded in the APK which explain why it's "meaty": 1Mo.
Permissions changed a little
|+ Find Accounts on the Device|
+ modify the contents of the SD card
- Read your Text message
- Read Bookmark and History
|Identical to previous post|
The explanation for "Administrator Rights" prompt has been tuned to:
|XXX Video (PornDroid) prompting for Administrator Rights. Reason ?|
"Set Storage Encryption"
Screen lock after click on any video is the same :
|PornDroid - LockScreen|
etc.. (see this post for more screens of the ransomware itself)
Many server were/are acting as C&C for this mobile Ransomware.
Here are some :
apimapu.net ( 22.214.171.124 )
apimapq.net ( 126.96.36.199 )
Admin entrance is like :
|Android LockOut System - Admin Login Page|
Here is one panel :
|PornDroid/LockOut System Panel - Main|
And another one :
I won't add more "Main" Screenshots as those three are representatives.
The following screenshots comes from different panels, different times...don't try to "connect" them together.
|Android LockOut System - Stats per day|
|Android LockOut System - All bots|
4-5 infections per minute when taken
|Android LockOut System - All Codes|
|Android LockOut System - Sent Command|
|Android LockOut System - Domains|
Big figure :
- Target : Mosly US
- Cumulative number of infection in december : between 180k and 240k
- Average number of devices locked daily : 7k
- Percentage of people paying : between 0.4 and 1%
- Money : at least half a million $ in voucher in December (note: $ in voucher is not $ in pocket for operators)
Not all the data is shared here (missing: main actor Nickname, adverts,domains,screenshots). So feel free to contact me if you are a researcher or want to act on it. (do with pro email - no gmail/yahoo/mail.ru etc. accounts...)
Thanks to @Malwageddon for some translation hints.
4 samples in a Zip sent on VT
Read More :
The worst of Windows "Police Locker" is also available on Android 2014-10-28
For those who did not see it, Idan Revivo and Ofer Caspi from Checkpoint shared on GitHub "A Cuckoo Sandbox Extension for Android". Thanks !!
|Porndroid in Cuckoo Sandbox extension for Android|
(you can get better than what is shown here. basic install)
LockOut System Ransomware PornDroid Android