2014-10-28 - Landscape The worst of Windows "Police Locker" is also available on Android

Usual referer for some Reveton Angler EK Thread tested on Android pushes an APK after plugrush mobile badvert

Note the "Read your Web bookmarks and History"

and some unknown to me till now Permissions :

"Reorder Running Apps", "Draw Over Other apps"

Fake "PornDroid" trying to convince you that it needs "Device Administrator"

If you activate it here is what will be shown in the Settings :





"These privileges are needed to protect your device from

attackers, and will prevent Android OS from heing destroyed.

In background a webpage containing Child Pornography is shown.





All images are linked to Videos that are indeed on the Server.

Captured Traffic between Launch and Lock

Then the phone is locked.









You can expand each Block and get details

Usual Money Pack payment system

Can take photos

Image that have been pushed to the user are now

shown as "evidences". Browsing History available here too





This screen for the upper part

4 CP/Zoo images are presented as evidences

I was wondering if the images were taken from the cache or something but they are in fact downloaded encrypted with the Design in the first 400ko call (so even before the website is displayed).













What's missing ? oh yes...Prism.





I didn't analyse the APK deeply but the first http post is really big.





From what i saw this is Focused on USA.

Launching the APK from another country, you get the sick webpage, call to C&C but no lock.

Browsing the same referer from France and Great-Britain at that time i landed on some fake (?) antivirus stuff like :







Files: Nothing. But here is a md5 : be4ad7e9140646a31099780c62a34bca from when i discovered it. And a fresher one : c03e2d5712cb5d738f06bfd79b9be12a I wouldn't be surprised if Contacts/Browsing History etc were pushed to the C&C.From what i saw this is Focused on USA.Launching the APK from another country, you get the sick webpage, call to C&C but no lock.Browsing the same referer from France and Great-Britain at that time i landed on some fake (?) antivirus stuff like :Nothing. But here is a md5 :

It seems the main name coming is Koler...but i wouldn't say it's the same team behind this and the Koler featured here before and in last AdaptiveMobile post















