Android Ransomware: New Attack Threatens To Dox Victims With Stolen Information, Conversations

A new mutation of Android ransomware is threatening to publish private information about victims including contacts and photos if they refuse to pay the demanded ransom.

The mobile malware known as LeakerLocker was discovered by security firm McAfee and found its way onto the Google Play Store, where thousands of people have had the misfortune of installing the malware on their device and have been exposed to the extortion attempt.

Read: Android Malware: Apps In Google Play Store Spread 'Judy' Adware Attack To Nearly 40 Million Phones

LeakerLocker is not the typical ransomware attack, which have grown increasingly common in recent years. Instead of encrypting a user’s files and making them inaccessible, the malicious software instead displays a threat on the lock screen and begins scouring the device for private data it can use to attempt to threaten the victim with.

The attack doesn’t carry a heavy demand compared to most ransomware attacks; it asks users to pay $50 in order to remove itself from their mobile device. Users of the infected phones are motivated to pay the fee when they see what LeakerLocker supposedly gathers from their device.

According to the lock screen message displayed by LeakerLocker, the ransomware gathers personal photos, text messages, phone call history, Facebook messages, Google Chrome browser data, emails and GPS location history.

The ransomware also collects contact information from the device and, if the user fails to meet the $50 ransom demand within 72 hours of infection, threatens to send a collection of the victim’s private information to every person in their contacts on their phone and in their email.

Read: Android Malware: Cloak And Dagger Attack Can Secretly Record User Activity

Threatening as LeakerLocker seems, it is not quite as capable as it claims. According to researchers at McAfee, LeakerLocker does have some access to private information, which it grabs at random to generate a preview that makes it appear as those the ransomware has copied a lot of information.

While LeakerLocker might be bluffing about some of its capabilities, the threat alone is more than likely enough to convince some users to pay the ransom, at which point the ransomware assures the victim their “personal data has been deleted from our servers and your privacy is secured."

While it’s difficult to say exactly how many devices have been hit by LeakerLocker, at least a few thousand people have been compromised by the attack after downloading what they believed to be legitimate apps from the Google Play Store.

An app called “Booster & Cleaner Pro,” which claimed to optimize the performance of Android devices, had as many as 5,000 installations with a rating of 4.5 out of five despite being laced with LeakerLocker.

Another app, called “Wallpapers Blur HD,” had up to 10,000 downloads and also carried the ransomware. The app’s seemingly broad request for permissions on the device, including the ability to read and send text messages, produced at least some warnings from users in the reviews.

LeakerLocker is not the first instance of malware to sneak past Google’s detection and make its way onto the Google Play Store, including an adware attack called Judy that infected more than 40 million devices through infected apps in Google’s own app store.

Even when an attack makes it through the cracks and infects a device, users can protect themselves by keeping regular backups. Most ransomware or malware infections can be undone by resetting the device and restoring from a backup prior to the infection.