Android/Torec by Fake Flash Malvertising

Another fake flash malvertising leading to malicious APK.
Android/Torec is a Trojan that steal some informations and able to send SMS.
This Trojan is using TOR nework : or


URLs :[...]



TDS at owned by Russian :

Registry Tech ID:
Tech Name: Ruslan Bakanaev
Tech Organization:
Tech Street: Bulvarnay 53
Tech City: Svobodniy
Tech State/Province: Amurskaya obl
Tech Postal Code: 676450
Tech Country: Russian Federation
Tech Phone: +7.9141837996
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: :
(a lot of Android.Locker but it’s not a Locker)

SHA256: 74cbbaaad648718be2c6b3cc94ae70fbff95e9aa9dcd58b3436c59bc348b7407
Nom du fichier : apk.apk
Ratio de détection : 26 / 56
Date d’analyse : 2015-03-25 11:35:39 UTC (il y a 0 minute)
Antivirus Résultat Mise à jour
Ad-Aware Android.Trojan.SLocker.A 20150325
AegisLab Agent 20150325
AhnLab-V3 Android-Malicious/Slocker 20150324
Alibaba A.H.Rog.Pletor.A 20150325
Avast Android:Locker-BD [Trj] 20150325
Baidu-International Trojan.Win32.Agent.AaA 20150325
BitDefender Android.Trojan.SLocker.A 20150325
CAT-QuickHeal Android.SmForw.BY 20150325
Comodo UnclassifiedMalware 20150325
Cyren AndroidOS/GenBl.F9E458BE!Olympus 20150325
DrWeb Android.Banker.51.origin 20150325
ESET-NOD32 a variant of Android/Torec.C 20150325
Emsisoft Android.Trojan.SLocker.A (B) 20150325
F-Secure Android.Trojan.SLocker.A 20150325
Fortinet Android/Torec.A!tr 20150325
GData Android.Trojan.SLocker.A 20150325
Ikarus Trojan.AndroidOS.FakeInst 20150325
Kaspersky 20150325
McAfee Artemis!F9E458BE2943 20150325
MicroWorld-eScan Android.Trojan.SLocker.A 20150325
NANO-Antivirus Trojan.Android.BankBot.dkzuaf 20150325
Qihoo-360 Win32/Trojan.DoS.e1b 20150325
Sophos Andr/Torec-A 20150325
Tencent a.rogue.simplocker.a 20150325
TrendMicro-HouseCall Suspicious_GEN.F47V0227 20150325
Zoner Trojan.AndroidOS.SIMLocker.B 20150323

The APK is able to send SMS :


ero_advertising_malicious_APK_access2 ero_advertising_malicious_APK_access
seems this APK is not using TOR but

Plugrush ( and popcash networks : malvertising

PlugRush and Popcash networks are two ads networks unable to keep their network clean.
I report every days malvertising to them, the support reply fast, (sometime for popcash, bad advertising are running for all the Week-end) but they are unable to filter the good from the bad.
so i think, if i stop to report them, they will delivering bad advertising.
Most of the time, when an ads network is hitten by malvertising, they take some cautions after that (submit domain to VirusTotal etc).

For PlugRush & Popcash, that made severals years and still the same loop.
Malvertisings pay better than usual, so you dont know if some ads network let them to make more cash or if they are just unable to detect it (or they simply dont care).
At the users end, the results are the same. So i decide to blacklist them to VirusTotal.

Thoses two networks are already red in WOT. is red with a lot of malwares mentions, so they move to

Popcash is also red in VirusTotal :
There are a lot of “good site comments” but if you look well, there are all on 06/08/2015, so i think someone pay to post these fake comments.

popcash_mywot3 popcash_mywot2 popcash_mywot

That made a long time, i report malvertising to PlugRush.
2013 – Fake police Ransomware on PlugRush :

Today they have often part of all the bad malvertising such as :

Here a screenshots of the Fake Virus Alert :


Bellow some requests to PlugRush network :



And popcash :


popcash_twitter_malvertising_report2 popcash_twitter_malvertising_report


and sometimes :


just because they make more $ with it.

EDIT – May 2015 : still a lot of bad advertising at Popcash

still some bad ads at PlugRush, seems there is some improvments, but still a LOT malvertisings at Popcash.
Fake Flash Malvertising, Android Locker, Scam Support malvertising.

PlugRush :

Popcash – on the same day :

EDIT – still bad ads at popcash.

Still and still :

9 days after the first tweet, bad ads are still online :

EDIT – September 2015 : Many efforts have been made

Some Efforts has been made by popcash & Plugrush network.
So less malvertising / bad advertisements.

Index of Android Locker

Some Android Locker active now.
We are back in 2013 for Fake Police Ransomware : Antivirus are a bit imature on Android, it’s new, so some differents lockers are made.
Probably in some months, some gonna dead.

When you are surfing in adult website, an ads is offering an APK, if you install it (you have to enable unsecure source), the Android Locker is installed.

PornDroid / Koler

by digusting malvertising :





Another campaign :

Detection example :

Related links :

Malvertising : Android/Svpeng / Android/Crosate / Android/Deng

See :

by Fake Flash Malvertising :

android_locker android_locker_deng4

Detection example :

SHA256: f396f49397affa9e9ea158b0caf908ab99857db98b780fdd565fbdd13b68864a
Nom du fichier : adobe_flash_player_15.10.4.apk
Ratio de détection : 7 / 57
Date d’analyse : 2015-03-16 21:54:41 UTC (il y a 10 heures, 27 minutes)
Antivirus Résultat Mise à jour
AVG Android/Deng.CJE 20150316
Avira Android/Svpeng.A.18 20150316
Cyren AndroidOS/GenBl.99C13486!Olympus 20150316
DrWeb Android.Locker.12.origin 20150316
ESET-NOD32 a variant of Android/Crosate.P 20150316
Kaspersky HEUR:Trojan-Banker.AndroidOS.SvPeng.a 20150316
McAfee Artemis!99C134869A64 20150316

Android/Fusob / Android/Slocker & Browlock Ransomware

very active, offer an APK then redirection to Browlock Ransomware – see :

via PornoDroidTube malvertising :

scheme is :

malvertising URL
APK via domain/s=mpWs
Browlock via domain/5/9 (or another numbers)

Detection example :

SHA256: 929994b5ca3824b8090083b309b13c2118afbd993c7f6aedc09bb19d7552378d
Nom du fichier : get_player.php?s=mpWk
Ratio de détection : 15 / 57
Date d’analyse : 2015-03-23 10:23:35 UTC (il y a 48 minutes)
Antivirus Résultat Mise à jour
AhnLab-V3 Android-Malicious/Slocker 20150323
Alibaba A.H.Pri.Gaudy 20150323
Avira Android/Fusob.A.32 20150323
Cyren AndroidOS/SLocker.R 20150323
DrWeb Android.Locker.97.origin 20150323
ESET-NOD32 Android/Locker.AZ 20150323
Emsisoft Trojan.Android.Locker (A) 20150323
F-Prot AndroidOS/SLocker.R 20150323
Fortinet Android/Fusob.A!tr 20150323
Ikarus Trojan.AndroidOS.Locker 20150323
K7GW Trojan ( 6b49d20b1 ) 20150323
Kaspersky HEUR:Trojan-Ransom.AndroidOS.Fusob.a 20150323
McAfee Artemis!AA5C29F72FF0 20150323
Sophos Andr/PornLock-A 20150323
TrendMicro-HouseCall Suspicious_GEN.F47V0320 20150323

EDIT – September 2015 : Android Locker still very active

Still a lot of malvertising, also some new malvertising with fake virus message :

also they improve the locker with menu etc :


Another variant :

Android:SMSreg / AndroidOS.SMSreg Malvertising

I open a new topic for Android:SMSreg / AndroidOS.SMSreg
According Kaspersky, it was the second threat in 2014 :
Fortiguard give a good description :
At the end of the description, Fortiguard say : ial/SmsReg!Android exists in multiple versions, customized for various countries.

Avast! made an entry in his blog – they clearly class it as malware :

Theses programs permit to access to porn video (that you can get for free) via a pay-service even if you dont use it (the application send SMS to taxed phone number).

The application can be customize, so some probably are clean or very border line, and some abuse users.

Depend where you put the cursor, but you have to take cautions with theses kind of programs because some probably abuse, some can show EULA and some just only a little message at a bottom of a long texte to say that they will send pay SMS. .
also they can evoluate in the time, at the beginning there was no EULA, and after antivirus flag it, some can add EULA to be more legitime etc.

Also the SMS are sent in background, even if you dont use the service, so users dont notice anything, you have to uninstall the apps to stop the SMS sending.
And sometimes, you got problem to get ride of it :

EULA example :


Also theses programs requiert big Access; could be a privacy problem.
This is the problem with unsecure application (not in Google Store), you cant be exactly sure of what you install.

Android_SMSreg_EULA2 Android_SMSreg_EULA









APK are around 15/20 on VirusTotal :
Most of the time, they detect the SMS code part.

SHA256: 583628d0d244b47201e1b7593d521118fa53c5115adab78d4bc6f00debde9aeb
Nom du fichier : youpornxxx_-_MBCOOL_-_90024248245414_-_.apk
Ratio de détection : 17 / 54
Date d’analyse : 2015-03-20 12:59:57 UTC (il y a 3 heures, 19 minutes)
Antivirus Résultat Mise à jour
AVG Android/Deng.ISA 20150320
AegisLab Pawen 20150320
Avast Android:SMSreg-AKO [PUP] 20150320
Avira SPR/ANDR.SMSreg.3907 20150320
Baidu-International Hacktool.Android.SMSreg.II 20150320
CAT-QuickHeal Android.Pawen.A (Suspicious) 20150320
Cyren AndroidOS/GenPua.FEC6300D!Olympus 20150320
DrWeb Android.Dialer.5.origin 20150320
ESET-NOD32 a variant of Android/SMSreg.II potentially unsafe 20150320
Ikarus Unsafe.Adware.AndroidOS 20150320
K7GW Trojan ( 004b56dc1 ) 20150320
Kaspersky HEUR:Trojan.AndroidOS.Pawen.a 20150320
McAfee Artemis!FEC6300D9B34 20150320
NANO-Antivirus Trojan.Android.SmsSend.dgqqwi 20150320
Qihoo-360 Win32/Trojan.DoS.5ff 20150320
Tencent a.gray.ikangoo 20150320
TrendMicro-HouseCall Suspicious_GEN.F47V0211 20150320

In France in 2014 :

Most of the times with theses kind of programs, there are users complaints :

some campaign that push theses kind of programs …

Active in clickadu network and Adsterra ( – already gave all the details

According Clickadu network, it has been removed.
I dont have contact with Adsterra.
Thoses ones targets mostly US users.


In Spain

active in Exoclick network and ero-advertising, so very big.
Two differents actors :

Example of detection :


and via :



the first one is not very interresting – same has address has address has address has address

The second is more interresting : has address


and ikangoo / m-hunter : has address mail is handled by 0 mail is handled by 5

mobile marketting stuffs :

Trojan_SMSreg_spain_m-hunter_ikangoo2 Trojan_SMSreg_spain_m-hunter_ikangoo


a search give another APK reported as phishing – registered by
Lead to Android:SMSReg :
and OVH too : has address

Trojan_SMSreg_spain_ikangoo2 Trojan_SMSreg_spain_ikangoo

back to the fiddler logs, so we have :[…][…][…][…][…]

see :

Same IP as ikangoo : has address
Registered by :

Domain Name: GF2FUCK.COM
Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Whois Server:
Referral URL:
Status: clientTransferProhibited
Updated Date: 06-oct-2014
Creation Date: 06-oct-2014
Expiration Date: 06-oct-2015

Registrant Name: IVAN IVAN
Registrant Street: C JAUME ROIG, 28. ENTLO. 5
Registrant City: VILA-REAL
Registrant State/Province: CASTELLON
Registrant Postal Code: 12540
Registrant Country: ES
Registrant Phone: +34.964100445
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: IVAN@M-HUNTER.COM

some spanish users complaints :

Exoclick, popcash and ero-advertising has been notified.
OVH too.


EDIT – Portugal – Espabit Android.SMSReg – via

Ero-advertising then :[...][...][...][...][...][...][...][..]


Espabit :



Admin Street: AVD. JERONIMO ROURE 49, 2B
Admin State/Province: VALENCIA
Admin Postal Code: 46520
Admin Country: ES
Admin Phone: +34.902909246
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:



EDIT – Italy : Slimspots &

same sources

  • slimspots (via ero-advertising) that is loading the well know
  • is loading – no information about it, the whois is protected.

Binary :

kimia_android_smsreg  slimspot_bettyads_IT




EDIT – still a lot Android:SmsReg Malvertising in Spain

Still a lot in Spain :

  • via ero-advertising / slimspots : r.COOLMOBILE.BIZ ( – seems to belong to mobobeat ads.
  • adamoads network & Plus Rush is loading (see above)
  • popcash network via ( – no information
  • Adsterra ( via ( – mobusi mobile ads

android_smsreg_slimspots_coolmobile android_smsreg_popcash android_smsreg_adamoads


Malvertising : Android/Svpeng / Android/Crosate / Android/Deng

yesterday i tweet two malvertising on ero-advertising and popcash :


The Malvertising lead to a Fake Flash malvertising that offer an APK – of course it’s an Android Locker :

SHA256: f396f49397affa9e9ea158b0caf908ab99857db98b780fdd565fbdd13b68864a
Nom du fichier : adobe_flash_player_15.10.4.apk
Ratio de détection : 7 / 57
Date d’analyse : 2015-03-16 21:54:41 UTC (il y a 10 heures, 27 minutes)
Antivirus Résultat Mise à jour
AVG Android/Deng.CJE 20150316
Avira Android/Svpeng.A.18 20150316
Cyren AndroidOS/GenBl.99C13486!Olympus 20150316
DrWeb Android.Locker.12.origin 20150316
ESET-NOD32 a variant of Android/Crosate.P 20150316
Kaspersky HEUR:Trojan-Banker.AndroidOS.SvPeng.a 20150316
McAfee Artemis!99C134869A64 20150316


Screenshots of the Screenshot locker (thanks to kafeine for the screenshots) :







There are now a lot of Android Ransomware :

PornotubeDroid Malvertising are far to be the most active and trying to push malvertising on ero-advertising, hornyspot, popcash, popads networks – see :

PUP.InstallIQ / PUP.InstallX : Fake Flash / Fake Java Malvertising

A new thread for another PUP / Adware installer that use Fake Flash / Java malvertising.
Was active on sometimes ago via network (see ).

Today it’s on (~900 global rank at Alexa). Yesterday i tweet it :
I give more details bellow about this malvertising, before some details about this PUP.InstallQ


Clickadu Network : bad advertising

A lot of bad advertising on this network.

Fake Java malvertising and Fake scam support :

alrady came accross this zeroredirecting in the past on vipcpms if i remember well.

also a lot of fake virus mobile in France :

clickadu_fakevirusmobile clickadu_fakevirusmobile2