LeakerLocker Mobile Ransomware Threatens to Expose User Information

by Ford Qin

While mobile ransomware such as the recent SLocker focuses on encrypting files on the victim’s devices, a new mobile ransomware named LeakerLocker taps into its victims’ worst fears by allegedly threatening to send personal data on a remote server and expose its contents to everyone on their contact lists.

The LeakerLocker ransomware is being carried by three applications found in Google Play: “Wallpapers Blur HD”, “Booster & Cleaner Pro”, and “Calls Recorder”. The three apps, all of which have been removed from Google Play, are detected by TrendMicro as ANDROIDOS_LEAKERLOCKER.HRX. While there is no evidence that these applications were made by the same person, it is highly possible that a single developer created them, given that they all carry the ransomware. In addition, we also found apps with similar names in Google Play, though we are still uncertain of their exact connection with the above malicious apps. We have already notified Google regarding these apps.

This entry looks into the specific application known as “Calls Recorder” to analyze LeakerLocker.

Technical Analysis

A quick glance at LeakerLocker reveals the following infection vector:

Figure 1: LeakerLocker infection diagram

The application itself was downloaded from Google Play. As of publication, this specific app has already been taken down. We have already notified Google regarding these apps.

Figure 2: Screenshot of the “Calls Recorder” app on Google Play

Once the “Calls Recorder” app is downloaded into the user’s device, it will initially gather the numbers of contacts, photos, and recent phone calls to check whether those numbers are larger than the previously defined numbers. This means that if there aren’t enough contacts, photos and phone calls in the target’s phone, the malicious code will not execute.

Figure 3: Code to check contacts, photos and recent phone calls

The next step for the “Calls Recorder” app involves delaying the execution of the malicious code for about 15 minutes. Execution delay is a common trick used to escape dynamic detection. After this time has passed, “Calls Recorder” will check whether the user’s device is using a WiFi connection. It will then disconnect the wireless network connection before checking for a mobile data connection shortly after. If a mobile data connection is not available, it will not proceed further. The WiFi connection will be then be restored to its previous state regardless of whether the user’s device hits the prerequisites.

If the user’s phone passes all the previous checks, there will be one final check for the application using the referrer. The referrer is a component sent by the Google Play App via broadcast that’s commonly used to track an app’s distribution channels during installation. However, the referrer in this app is also used as a necessary key parameter in URLs to access its remote server. Essentially, this malware is installed via Google Play App and can only perform malicious behavior through this installation method.

After all the required checks pass, “Calls Recorder” will send a request to hxxp://updatmaster.top/click[.]php. If the request is successful, it will send a broadcast that triggers the malware.

Once the receiver receives the broadcast, it will launch another Java class named x.ld.Ld. After the related broadcast is sent, the app loads and x.ld.Ld requests data from hxxp://176.9.18.91 to get further instructions.

The server response contains information about JAR files that need to be downloaded and configured. According to our analysis of the server response, “Calls Recorder” will download two JAR files — “u.jar” and “x.awvw.Awvw.jar”, as well as their configurations. “Calls Recorder” will then load, execute, and remove these two JAR files.

Figure 4: Jar files and the downloaded configuration

However, the “u.jar” we captured won’t actually be executed. Instead, “x.awvw.Awvw.jar” will download another Jar file from hxxp://5.9.65.235:18011 and execute it.

The downloaded Jar file will be saved as “support.jar”. It will then request tasks from the server hxxp://5.9.65.235:18080 and perform them.

A quick glance at the code of “support.jar” shows that it opens web pages in WebView, locates specific elements position in WebView, clicks specific elements in WebView, clears cookies, and intercepts http requests. The “Calls Recorder” app contains code to render a ransom web page showing details of contacts, phone calls, SMS, and other potentially sensitive information.

Figure 5. LeakerLocker ransom note

We did not actually find any code indicating that LeakerLocker will actually do what it threatens to do. However, tapping into the user’s fear of being exposed can be an effective extortion tactic. While traditional file encrypting ransomware does damage by actually encrypting files, LeakerLocker works on a deeper psychological level. This means that, even if the ransomware itself does not do anything, merely indicating that it could do so could be just as effective. In any case, the app can download code from the C&C server even if the actual code is not present.

Mitigation and Solutions

The key takeaway here is that “Calls Recorder” can download malicious Java or Jar files from the internet and execute them, which means it can also perform a wide range of malicious behaviors. As such, all mobile users should ensure that their devices are protected as much as possible from any external attacks. One method of doing this is by always reading the reviews of particular apps to check if there are any comments about it being suspicious. In addition, users should always ensure that their devices are up to date and all required security patches are applied.

In addition, users should consider comprehensive antivirus solutions that can defend against mobile ransomware. Trend Micro™ Mobile Security blocks threats from app stores before they can be installed and cause damage to devices.

The following hashes were used in this entry:

SHA256