McAfee reports that it has found a ransomware in the Google Play store, which have already been removed by Google as we speak.
Dubbed LeakerLocker, this latest threat was discovered in the app Wallpapers Blur HD and Booster & Cleaner Pro.
Unlike traditional ransomware, this one doesn’t encrypt your data, instead if will publish all your personal information online if you don’t pay. This is called doxxing, a new type of ransomware. Doxxing tend to search through documents, apps stored data, for any personal information it can found, like stored passwords, social security number (if yo have it in a document or stored somewhere) phone numbers, e-mails, potentially pictures, and so on.
The ransomware asks $50 US equivalent in Bitcoins with the promise of not leaking your personal information it managed to acquired.
Bellow is a screenshot of what the app shows:
McAfee reports that the mentioned apps have already been downloaded thousands of times.
Although, many reviewers indicated that some people where actually paying attention to the permission the app needed, where they wondered why the app needs permissions for the phone Contacts. Although, we can easily imagine other apps who looks like it would naturally need access to the phone contacts and other things, and are granted by the user. As we can see bellow screenshots, the app still managed to get great reviews.
Both Trojans offer apparently normal functions, but they hide a malicious payload.
Let’s examine “Booster & Cleaner Pro” to see what happens with this hidden payload.
At first execution, the malware displays typical functions of Android boosters. Due to the nature of this kind of application, users could be more willing to allow access to almost any permission.
After the boot is complete, the receiver com.robocleansoft.boostvsclean.receivers.BoorReceiver initiates AlarmManager, which along with other conditions starts the malicious activity com.robocleansoft.boostvsclean.AdActivity and locks the device’s screen.
LeakerLocker locks the home screen and accesses private information in the background thanks to its victims granting permissions at installation time. It does not use an exploit or low-level tricks but it can remotely load .dex code from its control server so the functionality can be unpredictable, extended, or deactivated to avoid detection in certain environments.
Not all the private data that the malware claims to access is read or leaked. The ransomware can read a victim’s email address, random contacts, Chrome history, some text messages and calls, pick a picture from the camera, and read some device information.
At this point the information has not been transmitted by the code in the original app, but a transfer could occur if the control server provides another .dex file.
When a victim inputs a credit card number and clicks “Pay,” the code send a request to the payment URL with the card number as a parameter. If the payment succeeds, it shows the information “our [sic] personal data has been deleted from our servers and your privacy is secured.” If not successful, it shows “No payment has been made yet. Your privacy is in danger.” The payment URL comes from server; the attacker can set different destination card numbers on the server.
McAfee recommends to not to pay anything to these ransomware, as it encourages more of them.
We advise users of infected devices to not pay the ransom: Doing so contributes to the proliferation of this malicious business, which will lead to more attacks. Also, there is no guarantee that the information will be released or used to blackmail victims again.
It is recommended that you should be careful what you download on your phone, especially that security updates are difficult to be passed from manufactures not delivering all Android updates, and carrier blocking updates. In addition, to carefully read what permissions the app asks for, and be sure the app doesn’t ask permission it should not need. Keep in mind of also time based attacks, where the app might work just fine and after a few days, or after you post a good review, it infects you.