One year ago, I blogged about a nasty evolution of Kovter using sick method to ensure people are shocked and in doubt enough to pay ransom.
A week ago doing some Android browsing to check how would react some "Desktop world" badness on mobile I've been pushed a pseudo Porn application
[caption id="attachment_2719" align="alignnone" width="816"] Usual referer for some Reveton Angler EK Thread tested on Android pushes an APK after plugrush mobile badvert[/caption]
So without user interaction nothing will happen. Just a dirty apk on your phone.
Now if you decide to install what pretends to be Porndroid :
[caption id="attachment_2722" align="alignnone" width="534"] Note the "Read your Web bookmarks and History"
and some unknown to me till now Permissions :
"Reorder Running Apps", "Draw Over Other apps"[/caption]
Then if you launch it you are asked to grant it "Device Administrator" Rights
[caption id="attachment_2725" align="alignnone" width="800"] Fake "PornDroid" trying to convince you that it needs "Device Administrator"[/caption]
If you activate it here is what will be shown in the Settings :
[caption id="attachment_2728" align="alignnone" width="752"] "These privileges are needed to protect your device from
attackers, and will prevent Android OS from heing destroyed.[/caption]
In background a webpage containing Child Pornography is shown.
[caption id="attachment_2730" align="alignnone" width="637"] All images are linked to Videos that are indeed on the Server.[/caption]
[caption id="attachment_2732" align="alignnone" width="1024"] Captured Traffic between Launch and Lock[/caption]
[caption id="attachment_2733" align="alignnone" width="646"] 500$[/caption]
[caption id="attachment_2734" align="alignnone" width="646"] You can expand each Block and get details[/caption]
[caption id="attachment_2735" align="alignnone" width="646"] Usual Money Pack payment system[/caption]
[caption id="attachment_2736" align="alignnone" width="800"] Can take photos[/caption]
[caption id="attachment_2737" align="alignnone" width="644"] Image that have been pushed to the user are now
shown as "evidences". Browsing History available here too[/caption]
[caption id="attachment_2738" align="alignnone" width="646"] This screen for the upper part
4 CP/Zoo images are presented as evidences[/caption]
I was wondering if the images were taken from the cache or something but they are in fact downloaded encrypted with the Design in the first 400ko call (so even before the website is displayed).
[caption id="attachment_2739" align="alignnone" width="646"] What's missing ? oh yes...Prism.[/caption]
Launching the APK from another country, you get the sick webpage, call to C&C but no lock.
Browsing the same referer from France and Great-Britain at that time i landed on some fake (?) antivirus stuff like :