July 11, 2017 By Mark Samuels 2 min read

Two applications that contained a new strain of ransomware known as LeakerLocker have been removed from the Google Play store. Rather than encrypt user files, according to McAfee, the ransomware in question locked the device and threatened to spread sensitive data.

Ransomware has become big news in recent weeks. More than 200,000 computers were hit by the first wave of the WannaCry ransomware attack in May, and researchers concluded that the Petya variant attacks that started on June 27 were intended to destroy data in Ukraine.

LeakerLocker Lurks in Android Apps

The McAfee team, which reported the threat to Google, identified the threat as Android/Ransom.LeakerLocker.A!Pkg. This new breed of ransomware was discovered in a wallpaper changer app known as Wallpapers Blur HD and a memory-boosting app called Booster & Cleaner Pro.

Upon successful installation, the ransomware locks the device’s home screen and accesses private information in the background through permissions granted during installation. The app can remotely load .dex code from its control server to change behavior and avoid detection.

Bleeping Computer reported that this type of ransomware, also referred to as doxware, has been seen before, but most of the earlier threats were empty.

Once it infects a device, LeakerLocker displays a message claiming that it has backed up the victim’s personal data to a secure cloud, McAfee reported. Then the malware attempts to extort a $50 ransom from the victim to prevent the spreading of private information to his or her contacts.

Don’t Trust the Reviews

Both Wallpapers Blur HD and Booster & Cleaner Pro apps received relatively good ratings on Google Play. However, McAfee researchers noted that fake reviews are common in fraudulent apps. However, one potentially real reviewer of Wallpapers Blur HD questioned why the app requested irrelevant permissions, such as making calls, sending SMS messages and accessing contacts.

McAfee experts have not identified code to help transfer user information to a remote server or to distribute personal contacts. Even if the ransomware is a scam, it would be unwise to rule out the possibility that it could download an additional module from its server to make good on its threat to disseminate personal data.

Google removed both apps. Unfortunately, Wallpapers Blur HD gathered between 5,000 and 10,000 downloads, while Booster & Cleaner Pro was downloaded between 1,000 and 5,000 times.

Responding to Ransomware

McAfee researchers advised users of infected devices not to pay the ransom, since doing so would help to support the malware business and increase the likelihood of further attacks. There is also no guarantee that the information will be released to victims upon payment of the ransom.

According to Graham Cluley, users can protect their devices from locker- and encryption-based mobile ransomware by only downloading apps from trusted developers. Android users should also back up their mobile data on a regular basis and install antivirus software.

More from

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today