Sunday, February 9, 2025
HomeRansomwareMobile Ransomware "LeakerLocker" Found in Play store Apps that Encrypt and Send...

Mobile Ransomware “LeakerLocker” Found in Play store Apps that Encrypt and Send Personal Data on a Remote Server

Published on

SIEM as a Service

Follow Us on Google News

Mobile Ransomware called “LeakerLocker” found in 3 Google Play store Applications that encrypt the Victims Personal information such as Contact List that send it Across Remote server and Exposed it.

Google PlayStore Malware’s are Evolving day by day which has to threaten Millions of Peoples and few weeks before LeakerLocker were Already found Another Android App.

3 Dangerous Android Applications “Wallpapers Blur HD”, “Booster & Cleaner Pro”, and “Calls Recorder” were Found in Google Play store that carried this LeakerLcker Ransomware.

This Ransomware Detected as  ANDROIDOS_LEAKERLOCKER.HRX  and also found some similar apps that had the same name which has similar Functionality of LeakerLocker.

Trend Micro  Researchers said, While there is no evidence that these applications were made by the same person, it is highly possible that a single developer created them, given that they all carry the ransomware.

Also Read    Machine learning system to create invisible malware’s – gym-malware

LeakerLocker Infection Flow

Initially, once User Download the Malicious Apps which is having Embedded LeakerLocker Ransomware that steals Personal information of the Victims.

Before Proceeding App Performs Various Checks and Communicate with C & C server later it Drops the Malware on the Victims Machine.Ransomware

Infection Flow of LeakerLocker

An Application called “Calls Recorder” which was found in Google PlayStore that initially gather the numbers of contacts, photos, and recent phone calls to check whether those numbers are larger than the previously defined numbers.

But Malicious Code will not Execute if there will not enough contacts, photos and Phone calls that less than defined.

Evade the Dynamic Malware Detection, this Application Delayed 15 Minutes to Execution of its Malicious code into the victims Mobile.

Later “Calls Recorder” check the WiFi Connection of the weather user enabled WiFi Connection or not and disable it before checking the Mobile data connection.

This Malicious code will not perform if mobile data connection will not be enabled.later it will restore the WIFi Connection.

Ransomware

Malicious Calls Recorder App

Installed malware from Google Play store will perform only perform its Malicious Activities by only using its installation Method.

Trend Micro said, After all the required checks pass, “Calls Recorder” will send a request to hxxp://updatmaster.top/click[.]php. If the request is successful, it will send a broadcast that triggers the malware.
 Once the receiver receives the broadcast, it will launch another Java class named x.ld.Ld. After the related broadcast is sent, the app loads and x.ld.Ld requests data from hxxp://176.9.18.91 to get further instructions.
 

The server will Respond With JAR Files that downloaded and Configured. According to Researchers Analyse, server response, “Calls Recorder” will download two JAR files — “u.jar” and “x.awvw.Awvw.jar”, as well as their configurations. “Calls Recorder” will then load, execute, and remove these two JAR files.

Finally “support.jar” opens the Web page view that contains the information showing details of contacts, phone calls, SMS, and other potentially sensitive information.

Ransomware

LeakerLocker Ransomware Alert

Trend Micro Said, We did not actually find any code indicating that LeakerLocker will actually do what it threatens to do. However, tapping into the user’s fear of being exposed can be an effective extortion tactic. While traditional file encrypting Ransomware does damage by actually encrypting files, LeakerLocker works on a deeper psychological level.

Image Source: Trend Micro

Also Read   Mobile Banking Malware “Svpeng” Working as a Keylogger and Steals Contacts and Call Logs

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Globe Life Ransomware Attack Exposes Personal and Health Data of 850,000+ Users

Globe Life Inc., a prominent insurance provider, has confirmed a major data breach that...

New ‘SHIELD’ Platform Leverages FPGA and Off-Host Monitoring to Tackle Advanced Ransomware Threats

In a significant advancement against increasingly sophisticated ransomware threats, researchers from NYU Tandon School...