The attacker community is continuing to expand the variety of ransomware strains it creates, including a recent variant that doesn’t encrypt victims’ files but instead threatens to send personal data and photos to their contacts.
Researchers at McAfee discovered this ransomware variant buried within a couple of apps in the Google Play app store recently. The apps purport to have legitimate functionality but once installed on a victim’s device, they eventually execute a malicious routine that involves collecting sensitive data from the device and then presenting the user with a ransom lock screen. The ransomware demands a payment of $50 to prevent the victim’s data from being sent around to her contacts.
One of the apps that includes the malware is called Wallpapers Blur HD and the other is Booster & Cleaner Pro, according to McAfee. Known as LeakerLocker, the ransomware gains access to victims’ personal data by asking for a broad range of permissions at installation.
“LeakerLocker locks the home screen and accesses private information in the background thanks to its victims granting permissions at installation time. It does not use an exploit or low-level tricks but it can remotely load .dex code from its control server so the functionality can be unpredictable, extended, or deactivated to avoid detection in certain environments,” the analysis by Fernando Ruiz and ZePeng Chen of McAfee says.
“Not all the private data that the malware claims to access is read or leaked. The ransomware can read a victim’s email address, random contacts, Chrome history, some text messages and calls, pick a picture from the camera, and read some device information.”
The LeakerLocker malware then will choose some of the data it has collected at random and display it on the lock screen with the ransom demand. The lock screen tells the victim that her data has been uploaded to the attacker’s “secure cloud” and will be sent to all of the victim’s phone and email contacts within 72 hours if the ransom isn’t paid. In fact, the data hasn’t been sent anywhere yet.
“When a victim inputs a credit card number and clicks ‘Pay,’ the code send a request to the payment URL with the card number as a parameter. If the payment succeeds, it shows the information ‘our [sic] personal data has been deleted from our servers and your privacy is secured.’ If not successful, it shows ‘No payment has been made yet. Your privacy is in danger.’ The payment URL comes from server; the attacker can set different destination card numbers on the server,” McAfee’s researchers say.
Mobile ransomware still is less prevalent than the desktop version, but it is becoming more common. In February, researchers at Palo Alto Networks discovered the Xbot ransomware infecting Android devices and stealing victims’ bank information in the process.