LeakerLocker: Mobile Ransomware Acts Without Encryption

We recently found on Google Play a type of mobile ransomware that does not encrypt files. This malware extorts a payment to prevent the attacker from spreading a victim’s private information. LeakerLocker claims to have made an unauthorized backup of a phone’s sensitive information that could be leaked to a user’s contacts unless it receives “a modest ransom.”

The McAfee Mobile Malware Research team has identified this ransomware as Android/Ransom.LeakerLocker.A!Pkg. We reported it to Google, which says it is investigating.

Two applications on Google Play carry this threat. “Wallpapers Blur HD” has been downloaded between 5,000 and 10,000 times. It was last updated on April 7. From reviews, we can see that one user complains why a wallpaper app requests irrelevant permissions such as calls, reading and sending SMS, access to contacts, etc.

The second malicious app is “Booster & Cleaner Pro,” last updated on June 28. It has been downloaded between 1,000 and 5,000 times. Its rating is 4.5, much higher than Wallpaper’s 3.6. This rating, however, is not a safety indicator because fake reviews are very common in fraudulent apps.

Both Trojans offer apparently normal functions, but they hide a malicious payload.

Let’s examine “Booster & Cleaner Pro” to see what happens with this hidden payload.

At first execution, the malware displays typical functions of Android boosters. Due to the nature of this kind of application, users could be more willing to allow access to almost any permission.

After the boot is complete, the receiver com.robocleansoft.boostvsclean.receivers.BoorReceiver initiates AlarmManager, which along with other conditions starts the malicious activity com.robocleansoft.boostvsclean.AdActivity and locks the device’s screen.

LeakerLocker locks the home screen and accesses private information in the background thanks to its victims granting permissions at installation time. It does not use an exploit or low-level tricks but it can remotely load .dex code from its control server so the functionality can be unpredictable, extended, or deactivated to avoid detection in certain environments.

Not all the private data that the malware claims to access is read or leaked. The ransomware can read a victim’s email address, random contacts, Chrome history, some text messages and calls, pick a picture from the camera, and read some device information—as we can see from the following JavaScript interface function:

All this information is randomly chosen to display via JavaScript (in jpus.js) and convince the victims that lots of data has been copied. A WebView appears after the device is locked.

At this point the information has not been transmitted by the code in the original app, but a transfer could occur if the control server provides another .dex file.

When a victim inputs a credit card number and clicks “Pay,” the code send a request to the payment URL with the card number as a parameter. If the payment succeeds, it shows the information “our [sic] personal data has been deleted from our servers and your privacy is secured.” If not successful, it shows “No payment has been made yet. Your privacy is in danger.” The payment URL comes from server; the attacker can set different destination card numbers on the server.

We advise users of infected devices to not pay the ransom: Doing so contributes to the proliferation of this malicious business, which will lead to more attacks. Also, there is no guarantee that the information will be released or used to blackmail victims again.

Hashes

  • A485F69D5E8EFEE151BF58DBDD9200B225C1CF2FF452C830AF062A73B5F3EC97
  • CD903FC02F88E45D01333B17AD077D9062316F289FDED74B5C8C1175FDCDB9D8
  • CB0A777E79BCEF4990159E1B6577649E1FCA632BFCA82CB619EEA0E4D7257E7B
  • B6BAE19379225086D90023F646E990456C49C92302CDABDCCBF8B43F8637083E
  • 486F80EDFB1DEA13CDE87827B14491E93C189C26830B5350E31B07C787B29387

URLs

  • hxxp://updatmaster.top/click.php?cnv_id
  • http://goupdate.bid/click.php?cnv_id=

Leave a Comment

one × 5 =