Ransomware on Android - Be careful what you download from Google Play store

[GoodBytes]

McAfee reports that it has found a ransomware in the Google Play store, which have already been removed by Google as we speak.

Dubbed LeakerLocker, this latest threat was discovered in the app Wallpapers Blur HD and Booster & Cleaner Pro.

 

Unlike traditional ransomware, this one doesn't encrypt your data, instead if will publish all your personal information online if you don't pay. This is called doxxing, a new type of ransomware. Doxxing tend to search through documents, apps stored data, for any personal information it can found, like stored passwords, social security number (if yo have it in a document or stored somewhere) phone numbers, e-mails, potentially pictures, and so on.

 

The ransomware asks $50 US equivalent in Bitcoins with the promise of not leaking your personal information it managed to acquired.

Bellow is a screenshot of what the app shows:

 

 

 

McAfee reports that the mentioned apps have already been downloaded thousands of times.

Although, many reviewers indicated that some people where actually paying attention to the permission the app needed, where they wondered why the app needs permissions for the phone Contacts. Although, we can easily imagine other apps who looks like it would naturally need access to the phone contacts and other things, and are granted by the user. As we can see bellow screenshots, the app still managed to get great reviews.

 

 

 

 

McAfee says:

Quote

Both Trojans offer apparently normal functions, but they hide a malicious payload.

Let’s examine “Booster & Cleaner Pro” to see what happens with this hidden payload.

At first execution, the malware displays typical functions of Android boosters. Due to the nature of this kind of application, users could be more willing to allow access to almost any permission.

 

After the boot is complete, the receiver com.robocleansoft.boostvsclean.receivers.BoorReceiver initiates AlarmManager, which along with other conditions starts the malicious activity com.robocleansoft.boostvsclean.AdActivity and locks the device’s screen.

LeakerLocker locks the home screen and accesses private information in the background thanks to its victims granting permissions at installation time. It does not use an exploit or low-level tricks but it can remotely load .dex code from its control server so the functionality can be unpredictable, extended, or deactivated to avoid detection in certain environments.

 

Not all the private data that the malware claims to access is read or leaked. The ransomware can read a victim’s email address, random contacts, Chrome history, some text messages and calls, pick a picture from the camera, and read some device information.

 

At this point the information has not been transmitted by the code in the original app, but a transfer could occur if the control server provides another .dex file.

 

When a victim inputs a credit card number and clicks “Pay,” the code send a request to the payment URL with the card number as a parameter. If the payment succeeds, it shows the information “our [sic] personal data has been deleted from our servers and your privacy is secured.” If not successful, it shows “No payment has been made yet. Your privacy is in danger.” The payment URL comes from server; the attacker can set different destination card numbers on the server.

 

McAfee recommends to not to pay anything to these ransomware, as it encourages more of them.

Quote

We advise users of infected devices to not pay the ransom: Doing so contributes to the proliferation of this malicious business, which will lead to more attacks. Also, there is no guarantee that the information will be released or used to blackmail victims again.

 

Source 1: https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/

Source 2: https://www.neowin.net/news/new-leakerlocker-android-ransomware-threatens-to-dox-victims-if-demands-are-not-met

 

It is recommended that you should be careful what you download on your phone, especially that security updates are difficult to be passed from manufactures not delivering all Android updates, and carrier blocking updates. In addition, to carefully read what permissions the app asks for, and be sure the app doesn't ask permission it should not need. Keep in mind of also time based attacks, where the app might work just fine and after a few days, or after you post a good review, it infects you.

 

 

[Sir Asvald]

Thanks for info.  

[vanished]

Quote

Unlike traditional ransomware, this one doesn't encrypt your data, instead if will publish all your personal information online if you don't pay. 

Interesting, I was gonna say how is this going to work when there's no valuable unique files on a phone anyway, but I suppose that could work

[Billy_Mays]

So more stuff I have to look into for when I download stuff on my new phone fun (eye rolling emote)

[bigneo]

Miners rubbing hands with each ransomware. After all, they affect currency spikes

[Jito463]

13 minutes ago, GoodBytes said:

McAfee reports that it has found a ransomware in the Google Play store, which have already been removed by Google as we speak.

Dubbed LeakerLocker, this latest threat was discovered in the app Wallpapers Blur HD and Booster & Cleaner Pro.

Ironic that McAfee found it, considering they're virtually worthless on Windows.  I'd sooner run a free AV than McAfee.

 

14 minutes ago, GoodBytes said:

McAfee recommends to pay anything to these ransomware, as it encourages more of them.

I think you meant to write, "not to pay anything".

[Drak3]

18 minutes ago, GoodBytes said:

McAfee recommends to pay anything to these ransomware, as it encourages more of them.

Which side is McAfee on?

[MysticLTT]

Most no name apps with thousands of downloads are crap anyway, full of ads fishing for stupid. I only use a handful of apps, reviewed by reputable tech blogs. 

[KenjiUmino]

12 minutes ago, GoodBytes said:

Wallpapers Blur HD and Booster & Cleaner Pro.

the names of these apps alone should be enough to make some red lights and alarms go on.

 

wallpaper apps are a waste of space either way and anything with "booster", "speedup", "tuneup" in the name should be avoided either way no matter the platform. 

 

people should always be very careful what they install and always ask if they REALLY need to have it in the first place ... every app you DON'T install is a "speedup" to your phone/pc/mac/dishwasher

 

and of course pay attention to wich permissions the app needs ... a flashlight app that needs permission to conect to the internet, access GPS and phone contacts ?

 

yeah ... sounds like the kind of app i really want on my phone ...

[laminutederire]

20 minutes ago, Ryan_Vickers said:

Interesting, I was gonna say how is this going to work when there's no valuable unique files on a phone anyway, but I suppose that could work

That's where the sexting happens for lots of people, that makes it valuable not to be shown

 

[System Error Message]

if you get hit by this malware do these things

1) disable all connectivity on the phone (remove the sim card, make sure to forget your wifi)

2) Connect a usb drive (there are thumbdrives for phones), grab all your data off

3) format and reset the phone, install an antivirus app on your phone and perform a scan

4) connect the thumbdrive to a windows/mac and scan, look for files that arent files you copied to it and delete it (make sure to enable view hidden and system files on windows)

5) connect thumbdrive and backup.

[DrMacintosh]

7 minutes ago, laminutederire said:

That's where the sexting happens for lots of people, that makes it valuable not to be shown

 

That's why Apple doesn't let anything decode anyone's messages other than the ones sent on/to your device. You could leak tons millions of iMessages, they would all just be white noise. 

 

Most applications do this. 

[limegorilla]

I know not everyone is as tech savvy as us here on the forum, but come on. Use come common sense people! Google and Apple need to make it a point to explain to people about what exactly allowing this permission to this app will do, and what the app could do with it and then things like this won't happen. And i'm sure that both companies could test an app every couple of updates or so to check if there is anything like this within an app. Through that probably is very easy to get round.

[DrMacintosh]

3 minutes ago, System Error Message said:

install an antivirus app

I'm sorry but I just find it hilarious that this is a thing people actually do 

[Jade]

4 minutes ago, System Error Message said:

if you get hit by this malware do these things

1) disable all connectivity on the phone (remove the sim card, make sure to forget your wifi)

2) Connect a usb drive (there are thumbdrives for phones), grab all your data off

3) format and reset the phone, install an antivirus app on your phone and perform a scan

4) connect the thumbdrive to a windows/mac and scan, look for files that arent files you copied to it and delete it (make sure to enable view hidden and system files on windows)

5) connect thumbdrive and backup.

Go down the list, I guess:

1. Can't forget the wifi if the screen's locked, as the app does. The solution to prevent network access in this case would to be disconnecting the wifi network's connection or blacklisting the device from connecting.
2. Can't do that if the screen's locked, as the app does.
3. Resetting the phone would suffice, unless it's using some low level exploits to write to the system partition -- which would be noted, if it did. No need for the antivirus app.
4. Won't really help? You can have known infected executables on a Windows machine that won't do anything unless you run them -- same applies here, and the infection is via means of an app. If the app isn't on the phone, then it can't/won't reinfect your device.
5. See 2.

[DrMacintosh]

Just now, liamdoyle27 said:

Apple need to make it a point to explain to people about what exactly allowing this permission to this app will do

Apple has had app permissions down and clearly understandable since like iOS 5.

[Jade]

1 minute ago, DrMacintosh said:

I'm sorry but I just find it hilarious that this is a thing people actually should/have to do 

It's not. They're mostly, if not all, complete trash. I would go so far as to argue that they're 99% placebo on Android.

[limegorilla]

Just now, Jade said:

It's not. They're mostly, if not all, complete trash.

Agreed.

[System Error Message]

Just now, Jade said:

Go down the list, I guess:

1. Can't forget the wifi if the screen's locked, as the app does.
2. Can't do that if the screen's locked, as the app does.
3. Resetting the phone would suffice, unless it's using some low level exploits to write to the system partition -- which would be noted, if it did. No need for the antivirus app.
4. Won't really help? You can have known infected executables on a Windows machine that won't do anything unless you run them -- same applies here, and the infection is via means of an app. If the app isn't on the phone, then it can't/won't reinfect your device.
5. See 2.

well then, should replace the first step with this.

reboot the phone into safe mode/backup mode and do the work from there

[Doobeedoo]

Wow that would really suck. So many would be pissed cause having so much on phone but probably not backup. 

Shame that such passed to Google Play Store too. And also apps thar many wuld likely search for heh. 

[System Error Message]

2 minutes ago, Jade said:

It's not. They're mostly, if not all, complete trash. I would go so far as to argue that they're 99% placebo on Android.

Some good PC based antivirus have their android app equivalents too so just stick to those. Most people cant easily see that something is malware which is why we need antivirus. I myself dont use any anti virus software because i already know which things are malware and i avoid using internet explorer/edge. I also know how to manually remove malware too.

[NTDaws]

3 minutes ago, DrMacintosh said:

Apple has had app permissions down and clearly understandable since like iOS 5.

IOs has had problems in the past too.

[limegorilla]

1 minute ago, DrMacintosh said:

Apple has had app permissions down and clearly understandable since like iOS 5.

No it's not. Yes it will tell you that "this app will be able to acsess your contacts" but that is about it. For the unsuspecting, they will just tap agree or allow. They don't know. This should be more in your face and annoying so people actually read it. maybe make it so they have to read it, and put in there password. that would be annoying but it would make people look.

 

[LAwLz]

On top of what everyone else has already said, this should be even less of an issue on Android Marshmallow and newer. Since 6.0 permissions are no longer granted at installation, but rather the first time the app requests it.

 

So chances are it will go:

"Give me money or else I will post your messages!" 

*Pop-up asking if you want to give wallpaper HD permission to read your messages*

 

But people giving permissions to apps is a real issue. 

[Jade]

Just now, System Error Message said:

well then, should replace the first step with this.

reboot the phone into safe mode/backup mode and do the work from there

Most people don't even know that Android has a safe mode -- much less how to access it. Most phones don't even document that it exists.