LeakerLocker Extortionware Test-Drives a New Malware Model

LeakerLocker Extortionware Test-Drives a New Malware Model

Move over, ransomware, there’s a new baddie in town: Extortionware.

A new Android malware dubbed LeakerLocker threatens to share victims’ private information and browsing history to all their contacts—causing potential embarrassment or worse.

According to McAfee, rather than encrypt files, the malware claims to have made an unauthorized backup of a phone’s sensitive information that could be leaked to a user’s contacts unless it receives “a modest ransom,” which at the time of writing was about $50.

It was found in two applications in the Google Play Store, Wallpapers Blur HD and Booster & Cleaner Pro, both of which have thousands of downloads. Both are trojans that offer apparently normal functions, but they ask for excessive permissions (like the ability to access calls, reading and sending SMS and access to contacts). Once installed, LeakerLocker locks the home screen and uses those permissions to tap the victim’s email address, random contacts, Chrome history, some text messages and calls, pictures from the camera, and some device information. If a victim pays the fee, a window pops up that says, “Your [sic] personal data has been deleted from our servers and your privacy is secured.”

McAfee researchers warned that the app also can remotely load code from its control server, “so the functionality can be unpredictable, extended or deactivated to avoid detection in certain environments.”

The malware is a bit of a sham, however: Bits and pieces of information are randomly chosen to display and convince the victims that all of their data has been copied. In reality, it’s unlikely the authors have made complete copies of the information.

"What’s worth noting here though is the fact that the rogue app, found in the Google Play Store, may not be telling the whole truth about how much user data it has filed away on the author’s server—only a limited amount of information is actually swiped,” said Lee Munson, security researcher at Comparitech.com. "Thus, victims should think very carefully about paying up. While early indications suggest that paying the ransomware may lead to any snatched data being deleted, to do so is to encourage malware authors to continue creating ransomware such as this. Not only that, but who’s to say the creator of LeakerLocker isn’t creating backups of the data it steals?”

Consumers however are likely to fall for the gambit, thanks to human nature.

"Bucking the recent trend of ransomware demanding money for the return of encrypted data, LeakerLocker’s business model is a potentially far more lucrative one, ensnaring a massive potential pool of Android users who need to hand over a mere $50 to avoid being doxed,” Munson added.

Ken Spinner, vice president of field engineering at Varonis, said that this initial example of extortionware could be just the beginning.

“LeakerLocker is a good test case for extortionware, which still has a few hurdles to clear. Ransomware encrypts data in place without actually stealing it,” he said. “Extortionware has to bypass traditional network monitoring tools that are built to detect unusual amounts of data leaving their network or device. Of course, information could be siphoned off slowly disguised as benign web or DNS traffic.”

He added, “A likely future is one where ransomware authors both encrypt and leak your data. Attackers could first encrypt the data then try to exfiltrate it. If you get caught during exfiltration, it’s not a big deal. Just pop up your ransom notification and claim your BTC.”

Google said that it is investigating the apps. 

Source: Information Security Magazine