A new variant of ransomware is spreading via phony apps on the Google Play Store which are targeting Android mobile users.
Unlike traditional ransomware, this new strain, dubbed LeakerLocker, does not encrypt files on the victim’s device. Instead, it plays on fear rather than cryptography, by allegedly collecting personal images, messages and browsing history, and threatening to share it to all of the contacts in the user’s address book, if they don’t pay the ransom of $50 (£38).
On 7th July 2017, the McAfee Mobile Malware Research team reported that they had identified this ransomware as Android/Ransom.LeakerLocker.A!Pkg and advised Google of the issue.
The ransomware was discovered in two apps available on Google Play Store. “Wallpapers Blur HD”is a wallpaper changer app, which has a rating of 3.6 and was last updated on the 7th April 2017. This app has been downloaded between 5,000 and 10,000 times.
“Booster & Cleaner Pro” is a memory-boosting app, with an even higher rating of 4.5. This app was last updated recently (28th June 2017) and has had between 1,000 and 5,000 downloads. It is clear that the user reviews have been faked, to obtain a good rating, and a lot of users have been fooled and are now at risk of being victims of the LeakerLocker ransomware.
To avoid being detected, the apps don’t hide a malicious payload. In fact, they function just like legitimate apps. However, once installed, the apps load their malicious code via a command-and-control server. Instructions are provided to collect sensitive data from the victim’s phone, which is aided due to the victim blindly granting excessive permissions (such as, the ability to manage calls, read and send messages, and have access to contacts) during installation.
Once activated, LeakerLocker locks the home screen and displays the following message: “All personal data from your smartphone has been transferred to our secure cloud. In less then 72 hours this data will be sent to every person from your telephone and email contacts list. To abort this action you have to pay a modest RANSOM of $50. Please note that there is no way to delete your data from our secure but paying for them. Powering off or even damaging your smartphone won’t affect your data in the cloud.”
McAfee Lab techs advise that not all the private data that the malware claims to access is actually read or leaked. The ransomware can read a victim’s email address, random contacts, Chrome history, some text messages and calls, pick a picture from the camera, and read some device information. Information is then randomly chosen to display on the locked home screen, which makes is look like a large amount of data has been copied.
If you have become a victim of LeakerLocker, FraudWatch International’s advice is “DO NOT PAY the ransom!” Doing so will only make the cyber-criminals hungry for more and encourage them to continue creating malicious software. There is also no guarantee that paying the ransom will get your data back (or in this case have the criminals delete it off their servers). There is no way of knowing whether they will release the information anyway, or even use it again for future blackmailing opportunities.
If you have installed either of the fraudulent apps, you should uninstall them immediately. To protect yourself from future cyber-attacks, only download apps from reputable developers. It is also a good idea for Android users to back up their mobile data regularly and install anti-virus software on their device.