LeakerLocker: A new mobile ransomware that extorts users and threatens to share personal information

This Android malware affects Android phones through ‘bogus’ apps downloaded from the Google Play Store

  1. Techook
  2. News
  3. LeakerLocker: A new mobile ransomware that extorts users and threatens to share personal information

Highlights

    • This malware targets Android devices
    • McAfee discovered the malicious software in two apps- Booster & Cleaner Pro and Wallpapers Blur HD
    • The malware attempts to extort the victim by demanding a ransom of $50

Ransomware has become a serious security threat for mobile users, especially those under Android ecosystem. While OEMs focus more on usability; data protection and security for mobile devices are still underestimated. WannaCry and the more vicious Petya ransomware had major disruption affecting several organisations, a new strain of ransomware called LeakerLocker has spread across Android platform.

This new Android malware affects Android phones through ‘bogus’ apps downloaded from the Google Play Store. Security firm McAfee discovered the malicious software in two apps- Booster & Cleaner Pro and Wallpapers Blur HD in the Play Store and interestingly it has thousands of downloads which means thousands of Android phones might already have been plagued.

What is LeakerLocker?

The Android malware basically extorts victims and threatens to share their privileged information and browsing history to contacts causing ‘potential embarrassment’. According to McAfee, the LeakerLocker makes an unauthorised backup of a phone’s sensitive information that could be leaked to an Android user’s contacts unless it receives “a modest ransom”

mcafee
Source: McAfee

How does this LeakerLocker infect Android users’ phones?

The bogus apps are basically said to be trojans that offer ‘normal functions’, but ask for excessive permissions. When users install these malicious apps, LeakerLocker locks the home screen and access classified information in the background through permissions which are granted while installing these apps. The device once infected, LeakerLocker pop-up a message claiming that it has backed up victim’s personal data to a ‘secure cloud’, McAfee says. The malware then attempts to extort the victim by demanding a ransom of $50.

LeakerLocker locks the home screen and accesses private information in the background thanks to its victims granting permissions at installation time. It does not use an exploit or low-level tricks but it can remotely load .dex code from its control server so the functionality can be unpredictable, extended, or deactivated to avoid detection in certain environments,” the firm wrote in its blog.

Not all the private data that the malware claims to access is read or leaked. The ransomware can read a victim’s email address, random contacts, Chrome history, some text messages and calls, pick a picture from the camera, and read some device information,” it added.

Reviews are not always true

Reports note that Wallpapers Blur HD app has been downloaded between 5,000 and 10,000 times and while Booster & Cleaner Pro has been downloaded between 1,000 and 5,000. Both the Trojans have a relatively good rating in the Play Store with one rated 3.6 while other had a 4.5 rating. McAfee researchers did point out that fake reviews are quite ‘common’ on fraudulent apps.

trojan-apps

How to protect your Android devices from getting infected?

Both malicious apps have been removed from the Play Store, but users might still under the gambit as cyber attackers would likely try to smuggle the malware in other apps. Researchers advise that users can protect their devices by downloading apps only from trusted developers and install antivirus software.

Regarding the LeakerLocker ransomware, McAfee researchers have advised users (those who have been accidentally hit by the ransomware) not to pay ransom since doing so motivates cyber criminals and support the malware business. Besides, there is also no guarantee whether after paying the ransom the stolen information will be deleted by the miscreants from their server or not.