LeakerLocker Promises to Expose Your Personal Information If You Don't Pay Ransom

There are ransomware families for Android. For those of you who haven't been living under the proverbial rock, this is not news. What you may not know, however, is that the ransomware strains for mobile devices are quite a bit different from their PC counterparts.

Very few of them have the power to actually encrypt files. Most are simple screen lockers which are trivial to remove if you know how to boot the phone into safe mode, though there are also some who can change the device's PIN code and leave you locked out. LeakerLocker is a lot more dangerous. At least that's what it claims.

After installation, it displays a ransom note saying that a data dump containing all your personal photos, emails, contacts, Facebook messages, calls, SMSs, and browsing history has been scraped and transferred to the crooks' "secure cloud." It also says that if you don't pay "a modest ransom of $50," the information will be sent to everyone you know. McAfee's experts were eager to find out if all of this is true.

One of the most worrying things they uncovered during their research is the fact that LeakerLocker is riding on the back of two Google Play applications. Needless to say, the experts alerted Google, and the apps were quickly taken down, but the fact that yet another strain of malware has made its way past the Bouncer shows that the people at Mountain View should really think about properly securing Android's official app store.

The first of the LeakerLocker-carrying apps is called Wallpapers Blur HD, and it was downloaded between 5,000 and 10,000 times before Google took it down. The reviews show that at least one user noticed the unusual amount of permissions the application asks for upon installation. This is good news since it indicates that more and more people are starting to pay attention and some are even managing to protect themselves. With the second app that distributed the new ransomware, the story is a bit different.

It resided on Google Play under the name Booster & Cleaner Pro, and although it had fewer downloads, the likelihood of more people giving it all the permissions it asks for was greater since it promised to tweak the operating system and make the device faster. Indeed, the screen that appears after installation does look like the app is about to increase Android's productivity. In the background, however, Booster & Cleaner Pro activates its malicious payload, and a few moments later, it displays the ransom note.

The note itself comes with a handy payment system that lets the victim pay the ransom with a few easy taps on the screen. McAfee's researchers said that it works, but they also pointed out that victims shouldn't play by the hackers' rules. That's because while the payment system is fully functional, the rest of the ransomware isn't.

Thanks to a DEX file loaded directly from the Command and Control (C&C) server, LeakerLocker can indeed go through some of your information, but it's nowhere near as scary as the crooks' message would have you believe. It can, for example, get to your email address, and it can read through one of your text messages, but it can't get all the data. Furthermore, contrary to what the ransom note says, no information is sent to the crooks which means that all the looming threats are full of hot air. In other words, LeakerLocker isn't as dangerous as it looks. Here comes the BUT, though.

The experts noted that adding the functionality promised in the ransom note is as easy as crafting a couple of malicious files. And the fact that the two apps carrying the ransomware spent a fair few months on Google Play shows that there's not much to deter the threat actors from trying to push an improved version of LeakerLocker on the official app store. All in all, users should still keep their eyes peeled.