In recent developments following notorious ransomware threats like WannaCry and Petya, a sophisticated new strain of malware has emerged, specifically targeting Android users through deceptive applications on the Google Play Store. This new malware, known as LeakerLocker, diverges from conventional ransomware methods by not encrypting files. Instead, it stealthily gathers personal data—including images, messages, and browsing history—and threatens to distribute this information to the victim’s contacts unless a ransom of $50 (£38) is paid.
Security researchers at McAfee have identified LeakerLocker within at least two applications: Booster & Cleaner Pro and Wallpapers Blur HD, both of which have amassed a significant number of downloads. These apps initially function like any legitimate software, lacking any overt malicious payloads, which helps them evade early detection. Once downloaded, however, they connect to a command-and-control server to fetch malicious code, enabling them to exploit the permissions granted by users during installation.
Upon activation, LeakerLocker locks the victim’s home screen and displays a ransom note claiming to have transferred personal data to a secure cloud location. The message warns that failure to pay will result in the data being disseminated to all contacts within the user’s phone and email lists. It states, “In less than 72 hours this data will be sent to every person on your telephone and email contacts list.” The note emphasizes that simply powering off or damaging the device will not delete the data stored in the cloud.
Although researchers assert that LeakerLocker can access a variety of sensitive data—such as email addresses, random contacts, and some text messages—there is speculation that the actual data collected may be limited. The malware can also utilize the device’s camera to capture images and gather various device information, enhancing its threat profile.
Despite Google’s removal of these malicious apps from the Play Store, it is anticipated that similar tactics may be employed by cybercriminals to infiltrate other applications. Business owners are strongly advised to review any recently installed applications for potential vulnerabilities.
For those who find themselves affected by this ransomware, a common temptation may arise to pay the ransom in exchange for the deletion of sensitive data. It is crucial to resist this, as paying ransoms only fuels further criminal activity and offers no guarantee that the obtained data will be permanently erased.
This incident serves as a stark reminder of the ongoing risks posed by ransomware and data breaches. Applying insights from the MITRE ATT&CK framework, tactics such as initial access and data theft can help organizations identify gaps in their cybersecurity defenses. It is imperative for businesses to bolster their processes around app permissions and data access to avert potential threats like LeakerLocker.
As the cyber landscape evolves, remaining vigilant and informed is essential for safeguarding sensitive information. Cybersecurity diligence is not just a technical requirement but a foundational necessity for today’s digital business environment.