July 13, 2017 by

Android Ransomware App Threatens Spread of Pictures & Messages

Security researchers have uncovered a new form of ransomware that does not encrypt files to extort payments from victims.

Instead, this rogue mobile ransomware – spotted by researchers on Google Play – works by blackmailing victims with the threat of spreading their private information, including personal photos, contact details, messages, Facebook messages, browsing history, emails and more, to every person on the victim’s phone and email contact list.

The threat reads:

In less than 72 hours this data will be sent to every person from your telephone and email contacts list. To abort this action you have to pay a modest RANSOM of $50.

Upon discovery, security researchers at McAfee’s Mobile Malware Research arm labeled the ransomware as ‘Android/Ransom.LeakerLocker.A!Pkg.’, dubbing it the LeakerLocker malware.

Two particular Google Play applications have been – so far – discovered to spread the ransomware. ‘Wallpapers Blur HD’, an app that has been downloaded between 5,000 and 10,000 times is one. The second, ‘Booster & Cleaner Pro’ has been downloaded between 1,000 and 5,000 times but has a much higher rating at 4.5 compared to Wallpapers Blur’s 3.6, giving it further false credibility among unsuspecting users.

Researchers further revealed:

LeakerLocker locks the home screen and accesses private information in the background thanks to its victims granting permissions at installation time. It does not use an exploit or low-level tricks but it can remotely load .dex code from its control server so the functionality can be unpredictable, extended, or deactivated to avoid detection in certain environments.

Digging further, researchers discovered that the malware does not read or leak all the private data it claims to have access to. However, the ransomware is able to access the victim’s email address, Chrome history, random messages and calls, a picture from teh camera roll and other device information.

In the event of a successful payment (extortion), a screen message reads “our [sic] personal data has been deleted from our servers and your privacy is secured.”

Both apps have been reported to Google and can no longer be found on the Android platform’s Play Store.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Security Researchers Uncover ‘World’s Most Powerful Android Spyware’

Security researchers at Kaspersky have uncovered a new form of Android spyware with capabilities...

Read more arrow_forward

This Android CryptoMining Malware is Capable of Destroying Android Phones

Cybersecurity researchers have discovered a “jack of all trades” cryptocurrency mining malware...

Read more arrow_forward

Second Largest Android Malware Outbreak Infects 21 Million Victims

Security researchers claim to have discovered the second largest outbreak to hit Google’s Android...

Read more arrow_forward