Android LeakerLocker malware locks device screens, does little else
Android LeakerLocker malware locks device screens, does little else

Google is investigating a malware variant found on two Google Play apps by McAfee's Mobile Malware Research team that attempts to blackmail its victims by threatening to release their private information if they don't pay a ransom.

However, the McAfee team has shown that while that hackers can access some of the victim's data for the most part the threat is empty as it is only a screen locker and does not encrypt or download files.

“It's a scareware campaign; the goal is to claim that they are holding sensitive information that will be a cause of embarrassment if released to everyone on the victims contact list. This is new to Google Play, we haven't seen such a campaign like this before,” the McAfee researchers told SC Media in an emailed statement.

The malware, a ransomware variant identified as Android/Ransom.LeakerLocker.A!Pkg or LeakerLocker by McAfee, has been found on the apps Wallpapers Blur HD and Booster & Cleaner Pro each of which have been downloaded thousands of times. In both cases the apps do function as advertised, but each also contains a hidden payload. That being a malware that can encrypt the files on a mobile device.

Once the malware-laden Booster & Cleaner Pro is installed and booted its initiates AlarmManager, one of the many permissions the user must agree to during the download process, which starts the malicious activity. At this point LeakerLocker does, as its name indicates, and locks the victim's screen. Again using the permissions it has gained from the user it begins to access the private information found on the phone. However, what is actually grabbed by the malware is limited and less than what the hacker claims to have accessed.

“Not all the private data that the malware claims to access is read or leaked. The ransomware can read a victim's email address, random contacts, Chrome history, some text messages and calls, pick a picture from the camera, and read some device information,” the report states.

A payment threat is then placed on the device screen, “No payment has been made yet. Your privacy is in danger.” McAfee said the payment amount varies between $50 and $100.

If the victim acquiesces and send in a payment another message appears “our [sic] personal data has been deleted from our servers and your privacy is secured.”  

However, McAfee noted even a payment does not guarantee the victim will not hear again from the hackers.

“As with all Ransomware/Scareware, there is no such thing as honor amongst thieves, even with a payment being made there is no guarantee they will not release information or further attempt to blackmail the victims if they discover additional information they can exploit,” McAfee said.

Google has removed the apps from Google Play.