July 11, 2017 By Mark Samuels 2 min read

Two applications that contained a new strain of ransomware known as LeakerLocker have been removed from the Google Play store. Rather than encrypt user files, according to McAfee, the ransomware in question locked the device and threatened to spread sensitive data.

Ransomware has become big news in recent weeks. More than 200,000 computers were hit by the first wave of the WannaCry ransomware attack in May, and researchers concluded that the Petya variant attacks that started on June 27 were intended to destroy data in Ukraine.

LeakerLocker Lurks in Android Apps

The McAfee team, which reported the threat to Google, identified the threat as Android/Ransom.LeakerLocker.A!Pkg. This new breed of ransomware was discovered in a wallpaper changer app known as Wallpapers Blur HD and a memory-boosting app called Booster & Cleaner Pro.

Upon successful installation, the ransomware locks the device’s home screen and accesses private information in the background through permissions granted during installation. The app can remotely load .dex code from its control server to change behavior and avoid detection.

Bleeping Computer reported that this type of ransomware, also referred to as doxware, has been seen before, but most of the earlier threats were empty.

Once it infects a device, LeakerLocker displays a message claiming that it has backed up the victim’s personal data to a secure cloud, McAfee reported. Then the malware attempts to extort a $50 ransom from the victim to prevent the spreading of private information to his or her contacts.

Don’t Trust the Reviews

Both Wallpapers Blur HD and Booster & Cleaner Pro apps received relatively good ratings on Google Play. However, McAfee researchers noted that fake reviews are common in fraudulent apps. However, one potentially real reviewer of Wallpapers Blur HD questioned why the app requested irrelevant permissions, such as making calls, sending SMS messages and accessing contacts.

McAfee experts have not identified code to help transfer user information to a remote server or to distribute personal contacts. Even if the ransomware is a scam, it would be unwise to rule out the possibility that it could download an additional module from its server to make good on its threat to disseminate personal data.

Google removed both apps. Unfortunately, Wallpapers Blur HD gathered between 5,000 and 10,000 downloads, while Booster & Cleaner Pro was downloaded between 1,000 and 5,000 times.

Responding to Ransomware

McAfee researchers advised users of infected devices not to pay the ransom, since doing so would help to support the malware business and increase the likelihood of further attacks. There is also no guarantee that the information will be released to victims upon payment of the ransom.

According to Graham Cluley, users can protect their devices from locker- and encryption-based mobile ransomware by only downloading apps from trusted developers. Android users should also back up their mobile data on a regular basis and install antivirus software.

More from

When ransomware kills: Attacks on healthcare facilities

4 min read - As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during…

AI and cloud vulnerabilities aren’t the only threats facing CISOs today

6 min read - With cloud infrastructure and, more recently, artificial intelligence (AI) systems becoming prime targets for attackers, security leaders are laser-focused on defending these high-profile areas. They’re right to do so, too, as cyber criminals turn to new and emerging technologies to launch and scale ever more sophisticated attacks.However, this heightened attention to emerging threats makes it easy to overlook traditional attack vectors, such as human-driven social engineering and vulnerabilities in physical security.As adversaries exploit an ever-wider range of potential entry points…

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today