One year ago, I blogged about a nasty evolution of Kovter using sick method to ensure people are shocked and  in doubt enough to pay ransom.

A week ago doing some Android browsing to check how would react some "Desktop world" badness on mobile I've been pushed a pseudo Porn application

[caption id="attachment_2719" align="alignnone" width="816"] Usual referer for some Reveton Angler EK Thread tested on Android pushes an APK after plugrush mobile badvert[/caption]

So without user interaction nothing will happen. Just a dirty apk on your phone.
Now if you decide to install what pretends to be Porndroid :

[caption id="attachment_2722" align="alignnone" width="534"] Note the "Read your Web bookmarks and History"
and some unknown to me till now Permissions :
"Reorder Running Apps", "Draw Over Other apps"[/caption]

Then if you launch it you are asked to grant it "Device Administrator" Rights

[caption id="attachment_2725" align="alignnone" width="800"] Fake "PornDroid" trying to convince you that it needs "Device Administrator"[/caption]

If you activate it here is what will be shown in the Settings :

[caption id="attachment_2728" align="alignnone" width="752"] "These privileges are needed to protect your device from
attackers, and will prevent Android OS from heing destroyed.[/caption]

In background a webpage containing Child Pornography  is shown.

[caption id="attachment_2730" align="alignnone" width="637"] All images are linked to Videos that are indeed on the Server.[/caption]

 

[caption id="attachment_2732" align="alignnone" width="1024"] Captured Traffic between Launch and Lock[/caption]

Then the phone is locked.

[caption id="attachment_2733" align="alignnone" width="646"] 500$[/caption]

[caption id="attachment_2734" align="alignnone" width="646"] You can expand each Block and get details[/caption]

[caption id="attachment_2735" align="alignnone" width="646"] Usual Money Pack payment system[/caption]

 

[caption id="attachment_2736" align="alignnone" width="800"] Can take photos[/caption]

[caption id="attachment_2737" align="alignnone" width="644"] Image that have been pushed to the user are now
shown as "evidences". Browsing History available here too[/caption]

[caption id="attachment_2738" align="alignnone" width="646"] This screen for the upper part
4 CP/Zoo images are presented as evidences[/caption]

 

I was wondering if the images were taken from the cache or something but they are in fact downloaded encrypted with the Design in the first 400ko call (so even before the website is displayed).

[caption id="attachment_2739" align="alignnone" width="646"] What's missing ? oh yes...Prism.[/caption]

 

I didn't analyse the APK deeply but the first http post is really big.

I wouldn't be surprised if Contacts/Browsing History etc were pushed to the C&C.From what i saw this is Focused on USA.
Launching the APK from another country, you get the sick webpage, call to C&C but no lock.
Browsing the same referer from France and Great-Britain at that time i landed on some fake (?) antivirus stuff like :

Files: Nothing. But here is a md5 : be4ad7e9140646a31099780c62a34bca from when i discovered it. And a fresher one  :  c03e2d5712cb5d738f06bfd79b9be12a

It seems the main name coming is Koler...but i wouldn't say it's the same team behind this and the Koler featured here before and in last AdaptiveMobile post .