• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mobile   »   LeakerLocker Mobile Ransomware Threatens to Expose User Information

LeakerLocker Mobile Ransomware Threatens to Expose User Information

  • Posted on:July 31, 2017 at 5:00 am
  • Posted in:Mobile, Ransomware
  • Author:
    Ford Qin (Mobile Threats Analyst)
0

While mobile ransomware such as the recent SLocker focuses on encrypting files on the victim’s devices, a new mobile ransomware named LeakerLocker taps into its victims’ worst fears by allegedly threatening to send personal data on a remote server and expose its contents to everyone on their contact lists.

The LeakerLocker ransomware is being carried by three applications found in Google Play: “Wallpapers Blur HD”, “Booster & Cleaner Pro”, and “Calls Recorder”. The three apps, all of which have been removed from Google Play, are detected by TrendMicro as ANDROIDOS_LEAKERLOCKER.HRX. While there is no evidence that these applications were made by the same person, it is highly possible that a single developer created them, given that they all carry the ransomware. In addition, we also found apps with similar names in Google Play, though we are still uncertain of their exact connection with the above malicious apps. We have already notified Google regarding these apps.

This entry looks into the specific application known as “Calls Recorder” to analyze LeakerLocker.

Technical Analysis

 A quick glance at LeakerLocker reveals the following infection vector:

Figure 1

Figure 1: LeakerLocker infection diagram

The application itself was downloaded from Google Play. As of publication, this specific app has already been taken down. We have already notified Google regarding these apps.

Figure 2

Figure 2: Screenshot of the “Calls Recorder” app on Google Play

Once the “Calls Recorder” app is downloaded into the user’s device, it will initially gather the numbers of contacts, photos, and recent phone calls to check whether those numbers are larger than the previously defined numbers. This means that if there aren’t enough contacts, photos and phone calls in the target’s phone, the malicious code will not execute.

Figure 3

Figure 3: Code to check contacts, photos and recent phone calls

The next step for the “Calls Recorder” app involves delaying the execution of the malicious code for about 15 minutes. Execution delay is a common trick used to escape dynamic detection. After this time has passed, “Calls Recorder” will check whether the user’s device is using a WiFi connection. It will then disconnect the wireless network connection before checking for a mobile data connection shortly after. If a mobile data connection is not available, it will not proceed further. The WiFi connection will be then be restored to its previous state regardless of whether the user’s device hits the prerequisites.

If the user’s phone passes all the previous checks, there will be one final check for the application using the referrer. The referrer is a component sent by the Google Play App via broadcast that’s commonly used to track an app’s distribution channels during installation. However, the referrer in this app is also used as a necessary key parameter in URLs to access its remote server. Essentially, this malware is installed via Google Play App and can only perform malicious behavior through this installation method.

After all the required checks pass, “Calls Recorder” will send a request to hxxp://updatmaster.top/click[.]php. If the request is successful, it will send a broadcast that triggers the malware.

 Once the receiver receives the broadcast, it will launch another Java class named x.ld.Ld. After the related broadcast is sent, the app loads and x.ld.Ld requests data from hxxp://176.9.18.91 to get further instructions.

The server response contains information about JAR files that need to be downloaded and configured. According to our analysis of the server response, “Calls Recorder” will download two JAR files — “u.jar” and “x.awvw.Awvw.jar”, as well as their configurations. “Calls Recorder” will then load, execute, and remove these two JAR files.

Figure 4

Figure 4: Jar files and the downloaded configuration

However, the “u.jar” we captured won’t actually be executed. Instead, “x.awvw.Awvw.jar” will download another Jar file from hxxp://5.9.65.235:18011 and execute it.

The downloaded Jar file will be saved as “support.jar”. It will then request tasks from the server hxxp://5.9.65.235:18080 and perform them.

A quick glance at the code of “support.jar” shows that it opens web pages in WebView, locates specific elements position in WebView, clicks specific elements in WebView, clears cookies, and intercepts http requests. The “Calls Recorder” app contains code that gathers contacts, phone calls, SMS, and other potentially sensitive information.

Figure 5

Figure 5. LeakerLocker ransom note taken from another app

We did not actually find any code indicating that LeakerLocker will actually do what it threatens to do. However, tapping into the user’s fear of being exposed can be an effective extortion tactic. While traditional file encrypting ransomware does damage by actually encrypting files, LeakerLocker works on a deeper psychological level. This means that, even if the ransomware itself does not do anything, merely indicating that it could do so could be just as effective. In any case, the app can download code from the C&C server even if the actual code is not present.

 Mitigation and Solutions

The key takeaway here is that “Calls Recorder” can download malicious Java or Jar files from the internet and execute them, which means it can also perform a wide range of malicious behaviors. As such, all mobile users should ensure that their devices are protected as much as possible from any external attacks. One method of doing this is by always reading the reviews of particular apps to check if there are any comments about it being suspicious. In addition, users should always ensure that their devices are up to date and all required security patches are applied.

In addition, users should consider comprehensive antivirus solutions that can defend against mobile ransomware. Trend Micro™ Mobile Security blocks threats from app stores before they can be installed and cause damage to devices.

The following hashes were used in this entry:

SHA256

  • cb0a777e79bcef4990159e1b6577649e1fca632bfca82cb619eea0e4d7257e7b
  • 486f80edfb1dea13cde87827b14491e93c189c26830b5350e31b07c787b29387
  • 299b3a90f96b3fc1a4e3eb29be44cb325bd6750228a9342773ce973849507d12
  • c9330f3f70e143418dbdf172f6c2473564707c5a34a5693951d2c5fc73838459
  • d82330e1d84c2f866a0ff21093cb9669aaef2b07bf430541ab6182f98f6fdf82
  • 48e44bf56ce9c91d38d39978fd05b0cb0d31f4bdfe90376915f2d0ce1de59658
  • 14ccc15b40213a0680fc8c3a12fca4830f7930eeda95c40d1ae6098f9ac05146
  • cd903fc02f88e45d01333b17ad077d9062316f289fded74b5c8c1175fdcdb9d8
  • a485f69d5e8efee151bf58dbdd9200b225c1cf2ff452c830af062a73b5f3ec97
  • b6bae19379225086d90023f646e990456c49c92302cdabdccbf8b43f8637083e
  • 4701a359647442d9b2d589cbba9ac7cf56949539410dbb4194d9980ec0d6b5d4
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.