Two Apps on the Google Play store have been discovered to have been infected with a new strain of Ransomware
Google has just removed two apps infected by a new strain of ransomware, LeakerLocker.
The discovery was made by McAfee's mobile team. During their research they found that the ransomware did not encrypt users files, it locked their devices. Once locked a threat to send all of the users private data and messages to everyone in their contact list would appear on the screen.
This type of ransomware is known as Doxware. Doxing refers to publicly publishing private or identifying information about a particular individual online with malicious intent. That's right, Grandma's secret recipes that you've stored on your phone might not be secret for long!
LeakerLocker takes over the mobile device locking it. A ransom message is displayed until the user pays the $50 ransom fee via credit card. Very low compared to other ransomwares such as WannaCry and Petya, which "gives users an incentive to pay."
The ransomware discovered last week was hidden inside two apps: Booster & Cleaner Pro (used to boost phone's memory) and Wallpapers Blur HD (wallpaper changer).
Booster & Cleaner Pro Wallpapers Blur HD
Both apps have since been removed from the Google Play stores but not before garnering almost 15,000 downloads between them. User comments on the apps have made it appear as they were part of a rewards program.
Users were given small sums of money to install the apps on their mobile devices. This is part of a growing trend of schemes that tricks users into downloading malware onto their devices in exchange for real or virtual cash.
The worst part of all of this?
McAfee experts that discovered this say that the malware doesn't use any exploits and only relies on the permissions users grant the app during the installation process. ZePeng Chen and Fernando Ruiz, members of the McAfee mobile team, stated that LeakerLocker had the ability to "access data such as the user's email address, contacts, Chrome history, text messages, call history, pictures, and device information." All pretty seemingly normal permissions to ask users in general.
As of now the code that transfers the information to a remoter server and collect the users' contact and personal data has not been found. Although other scam apps do not lock users out, McAfee isn't ruling out that the ransomware could download a module from its server to go through with its' threat if a ransom fee isn't paid.
Source: Bleeping Computer