LeakerLocker ransomware

Google has removed two apps that contained a new strain of ransomware named LeakerLocker.

Discovered by security researchers from McAfee's mobile division, the ransomware didn't encrypt users' files, but only locked their device and threatened to send the user's private data to friends from his contact list.

This type of ransomware, also referred to as doxware, has been seen in the past, but most of these threats were found to be empty.

LeakerLocker distributed via Google Play Store

This new breed of ransomware was discovered last week inside two apps named "Wallpapers Blur HD" (wallpaper changer) and "Booster & Cleaner Pro" (app to boost a phone's memory).

Google has removed both apps, but before this, the first app managed to gather between 5,000 and 10,000 downloads, while the second was downloaded between 1,000 and 5,000 times.

Based on user comments, both apps appear to have been part of a rewards program that gave users small amounts of money to install an app on their device. This type of distribution scheme is becoming popular and has been used in the past to trick users into installing malware on their devices.

Experts aren't sure if this is a scam

Fernando Ruiz and ZePeng Chen, the two McAfee experts who analyzed the two apps, say the ransomware doesn't use any exploits and relies only on the permissions users grant it during the installation process.

Experts confirm that LeakerLocker has the ability to access data such as the user's email address, contacts, Chrome history, text messages, call history, pictures, and device information.

Experts haven't found code that's responsible for transferring this information to a remote server or with sending personal data to the user's contacts.

Nonetheless, even if this ransomware looks like a scam, McAfee won't rule out the possibility that the ransomware could download a module from its server to accomplish its threats if the user doesn't pay the ransom fee.

Ransomware is a screen locker. Doesn't encrypt files.

LeakerLocker makes its demands via a WebView component that it displays across all other apps, locking the user's screen until he pays a ransom.

Hoping that users opt to pay,  the ransomware only asks for a  $50 payment via a credit card transaction.

In June, Chinese authorities arrested two individuals distributing Android ransomware after they handled payments via traceable channels. Because the LeakerLocker group handles ransom payments in a similar way, there's a high chance that authorities could track down this group as well. Below is how a standard LeakerLocker ransom note looks like.

LeakerLocker ransom note
LeakerLocker ransom note [via McAfee]

LeakerLocker hashes and other IOCs are available in McAfee's LeakerLocker report.