LeakerLocker ransomware found in two Google Play Store apps

Google Play Store takes down two malicious apps that contained LeakerLocker ransomware

According to Android^[1], all applications undergo a rigorous security testing before they make it to the Google Play Store. Unfortunately, the word “rigorous” might not be the right one since every once in a while malicious apps manage to hop into the Google Play Store and become available to all Android users.

This time, two malicious apps managed to sneak into the official application store and attack anyone who decided to install it. It turns out that the deceptive apps contained a new strain of ransomware dubbed LeakerLocker.

The ransomware was found in “Wallpapers Blur HD” and “Booster & Cleaner Pro” applications. The first one was successfully downloaded into 5,000-10,000 devices, while the second one wasn’t so popular and compromised between one to five thousands Android devices.

Android users seem to be easily tricked by apps that promise to pay users for installing “partner apps.” Such rewards programs simply ask to install certain applications to start earning money instantly. It turns out that both malicious programs were included in such reward programs and that explains why so many users installed it.

Activity of the LeakerLocker

After compromising victim’s Android device, the malware displays a screenlocker that says:

All personal data from your smartphone has been transferred to our secure cloud. It contains: personal photos, contact numbers, sent and received SMS, phone calls history, Facebook messages, Chrome visits history, full email texts and GPS location history.

The ransomware wants to receive the payment within 72 hours and threatens the victim to send the collected data to all phone and email contacts found on the device. However, unlike typical ransom-demanding viruses, this one doesn't encrypt victim's files.

Both programs are capable of accessing user’s email address, contacts, text messages, call history, also browsing history, device information and pictures. According to experts, the malicious apps are not capable of stealing information from victim’s device and transferring it to a remote server.

However, researchers from McAfee claim^[2] that it would be naive to expect that the malware cannot download additional components from its server in order to carry out the threats. The malware demands $50 as a ransom.

Android malware is on a rise

While scammers do their best trying to upload malicious apps onto Google Play Store, users need to remember that Android viruses can hide in other places as well. It is extremely important to be careful when installing applications downloaded from other locations than the Google Play Store.

Researchers from Palo Alto Networks recently detected a Trojan horse that targets Android users^[3].

The new malware is called a SpyDealer, and it is capable of spying and stealing private information from victim’s device. According to experts, the malware might be injected into free software available in unofficial app stores.

The malicious program can infringe user’s privacy and steal information from apps such as Facebook, Skype, Whatsapp, Firefox, and others. Besides, it also begins tracking victim’s SMS conversations, call history, phone numbers, and geolocation of the device. On top of that, SpyDealer can silently take screenshots, record victim’s conversations and catch every sound around the compromised phone.

Considering that Androids are much more vulnerable to malware attacks^[4] than, for example, iOS devices, we suggest users to stay cautious and carefully think before installing questionable programs on their devices.

We do not recommend joining those reward programs that ask you to clutter your phone with useless apps just to earn a couple of cents. The risk of infecting your device is considerable, and you shouldn’t take such risks. To keep up with the latest computer and smartphone malware news, we suggest checking the Virus Activity site^[5].