LeakerLocker: New Blackmail Ransomware Hidden In Google Play Apps Threatens To Release Your Private Files

NSI has recently shared our thoughts on the WannaCry and PetrWrap ransomware outbreaks. Recently another new strain of ransomware has been discovered spreading through bogus apps on the Google Play Store, this time the targets are Android mobile users.

Android/Ransom.LeakerLocker.A!Pkg known as LeakerLocker, does not encrypt files on your device, unlike traditional ransomware, instead, it secretly collects your personal images, messages and browsing history and threatens to share it to your contacts if you don’t pay $50 (£38).

The LeakerLocker ransomware has so far been found in at least two apps: “Wallpapers Blur HD” has been downloaded between 5,000 and 10,000 times. It was last updated on April 7. From reviews, we can see that one user complains why a wallpaper app requests irrelevant permissions such as calls, reading and sending SMS, access to contacts, etc.

The second malicious app is “Booster & Cleaner Pro” last updated on June 28. It has been downloaded between 1,000 and 5,000 times. Its rating is 4.5, much higher than Wallpaper’s 3.6. This rating, however, is not a safety indicator because fake reviews are very common in fraudulent apps.

fraudulent-apps

The apps don’t contain any malicious payload to evade detection of malicious functionality and typically function like legitimate apps.
Most users typically breeze past the numerous permissions requested by apps during installation. This is what the creators of LeakerLocker count on.

Once installed the apps load malicious code from their command-and-control server, which instructs them to collect a vast number of sensitive data categories from your phone.

The LeakerLocker ransomware then locks your home screen and displays a message that provides details of the data it claims to have stolen and gives instructions on how to pay the ransom to ensure your information is deleted.

The ransom message reads:

“All personal data from your smartphone has been transferred to our secure cloud.

In less than 72 hours this data will be sent to every person on your telephone and email contacts list. To abort this action you have to pay a modest ransom of $50 (£38).

Please note that there is no way to delete your data from our secure but paying for them. Powering off or even damaging your smartphone won’t affect your data in the cloud.”

Although the ransomware claims that it has taken a backup of all of your sensitive information, including personal photos, contact numbers, SMS’, calls and GPS locations and browsing and correspondence history, researchers believe only a limited amount of data on victims is collected.

According to researchers, LeakerLocker can read a victim’s email address, random contacts, Chrome history, some text messages and calls, take a picture from the camera, and read some device information.
All the above information is randomly chosen to display on the device screen, which is enough to convince the victims that lots of data have been copied.

Both malicious apps have since been removed by Google from the Play Store, but it is likely that hackers will try to smuggle their software into other apps.

If you have installed any of the two apps, uninstall them right now.

Both Apps offer seemingly normal functions, but they hide a malicious payload. Let’s take a closer look at “Booster & Cleaner Pro” to see what happens when it’s malicious hidden payload is activated.

boost

Unfortunately, due to the nature of this kind of application, users are often more willing to allow access to almost any permissions. At first execution, the malware displays typical functions of Android system boosters.

Once the boot is complete, the receiver com.robocleansoft.boostvsclean.receivers.BoorReceiver initiates AlarmManager, which along with other conditions, starts the malicious activity com.robocleansoft.boostvsclean.AdActivity and locks your device’s screen.

LeakerLocker then accesses private information in the background thanks to your granting permissions at installation time. It can remotely load .dex code from its control server so the functionality can be unpredictable, extended, or deactivated in an effort to avoid detection in certain environments.

Not all the private data that the malware claims to access is copied or leaked. LeakerLocker can read your email address, Chrome history, text messages, random contacts, and calls, take a picture from the camera, and read some device information as can be seen from the following JavaScript interface function:

javascript-leakerlocker-boost

All this information is randomly chosen to display via JavaScript (in jpus.js) and convince you that lots of data has been copied. A WebView appears after the device is locked.

javascript-jpus

At this stage the information has not been transmitted by the code in the original app, but a transfer can occur if the control server provides another .dex file.

When you input a credit card number and click “Pay” the code sends a request to the payment URL with the card number as a parameter. If your payment is successful, it shows the information “our [sic] personal data has been deleted from our servers and your privacy is secured.” If not successful, it shows “No payment has been made yet. Your privacy is in danger.” The payment URL comes from the server; the attacker is able to set different destination card numbers on the server.

leakerlocker-payment

While we highly recommend users of infected devices to not pay the ransom, we understand the decision is ultimately only yours to make. Please keep in mind though, paying these ransoms only contributes to the proliferation of this malicious business, which will lead to more attacks. Also, there is no guarantee that your information will be released or not used to blackmail you again.

About National Surveillance and Intelligence

National Surveillance and Intelligence is an Australian owned Global Geopolitical Risk and Counter Intelligence Advisory Firm. NSI has an interdisciplinary team of employees and partners in strategic locations around the globe.

Our Best in Class Services include:

  • Global Geopolitical Risk Advisory
  • Counterintelligence Services
  • Complete Organisational Security Risk Auditing
  • Technical Surveillance Counter Measures
  • Digital Forensic and Corporate Investigations
  • Cyber Countermeasures
  • Global Immediate Response Teams

Our experts have provided consultation, and have been interviewed numerous times by major media outlets such as:

  • Channel 7 News
  • The Sydney Morning Herald
  • 60 Minutes
  • The Daily Telegraph
  • Today Tonight
  • ABC Radio
  • A Current Affair
  • Sky Business News
  • Xinhua News China

NSI is called upon for its expertise by corporations in the Mining, Oil and Gas industries, Financial Institutions, Insurance companies, Law and Accounting firms, Government agencies and High Net-Worth individuals. Our services are available globally with local offices in Sydney, Dubai, Hong Kong and Singapore. To book a confidential consultation, feel free to contact our team.