July 13, 2017 by

Android Ransomware App Threatens Spread of Pictures & Messages

Security researchers have uncovered a new form of ransomware that does not encrypt files to extort payments from victims.

Instead, this rogue mobile ransomware – spotted by researchers on Google Play – works by blackmailing victims with the threat of spreading their private information, including personal photos, contact details, messages, Facebook messages, browsing history, emails and more, to every person on the victim’s phone and email contact list.

The threat reads:

In less than 72 hours this data will be sent to every person from your telephone and email contacts list. To abort this action you have to pay a modest RANSOM of $50.

Upon discovery, security researchers at McAfee’s Mobile Malware Research arm labeled the ransomware as ‘Android/Ransom.LeakerLocker.A!Pkg.’, dubbing it the LeakerLocker malware.

Two particular Google Play applications have been – so far – discovered to spread the ransomware. ‘Wallpapers Blur HD’, an app that has been downloaded between 5,000 and 10,000 times is one. The second, ‘Booster & Cleaner Pro’ has been downloaded between 1,000 and 5,000 times but has a much higher rating at 4.5 compared to Wallpapers Blur’s 3.6, giving it further false credibility among unsuspecting users.

Researchers further revealed:

LeakerLocker locks the home screen and accesses private information in the background thanks to its victims granting permissions at installation time. It does not use an exploit or low-level tricks but it can remotely load .dex code from its control server so the functionality can be unpredictable, extended, or deactivated to avoid detection in certain environments.

Digging further, researchers discovered that the malware does not read or leak all the private data it claims to have access to. However, the ransomware is able to access the victim’s email address, Chrome history, random messages and calls, a picture from teh camera roll and other device information.

In the event of a successful payment (extortion), a screen message reads “our [sic] personal data has been deleted from our servers and your privacy is secured.”

Both apps have been reported to Google and can no longer be found on the Android platform’s Play Store.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Second Largest Android Malware Outbreak Infects 21 Million Victims

Security researchers claim to have discovered the second largest outbreak to hit Google’s Android...

Read more arrow_forward

Dangerous Android Banking Trojan, SVPENG, modified with a Keylogger

In mid-July this year, it was discovered that a well-known banking malware,...

Read more arrow_forward

Dvamp is Android’s First Trojan Malware with Code Injection

A sophisticated and dangerous new trojan malware, Dvamp, has emerged as the first-known trojan for...

Read more arrow_forward