LeakerLocker: Mobile Ransom/Doxware

Today, I learned about a relatively new type of Android Malware, dubbed LeakerLocker. It is spread via malicious software within the Google Play Store, but the unique thing about LeakerLocker is that it doesn't need to encrypt your device to hold you to ransom. In fact, it doesn't need to do anything "special" at all...

What Is LeakerLocker?

LeakerLocker is a relatively new discovery that came from a couple of McAfee Security Researchers. It is spread via malicious apps within the Google Play Store, and at the time of writing this article, only two such apps have been discovered. Both of which have been remove from the Play Store. However, that's not to say more don't exist, or can't be added in the future.

Once one of these malicious apps is installed and permissions are granted (as is standard with many legitimate Android apps), LeakerLocker immediately locks the device's home screen and begins accessing your personal data in the background.

The ransomware then asks for a "modest" payment of $50 to "protect your privacy". If you don't pay in 72 hours, it threatens to share your personal data with all of your contacts. Here is an example of the LeakerLocker lock screen (credit: McAfee):

Most ransomware, like WanaCry, will encrypt the local drive, and only provide the decryption key when a ransom is paid, LeakerLocker is different. It's not actually holding your data to ransom - you can get the data back by simply plugging your device in to a computer - what it is doing is holding your privacy to ransom.

Because LeakerLocker is threatening people's privacy, some have dubbed it as "Doxware" after the term "doxing".

Doxing - to search for and publish private or identifying information about (a particular individual) on the Internet, typically with malicious intent.

How LeakerLocker Works

LeakerLocker does lock your home screen, and it does access your private data. However, it's not all it makes itself out to be, not by default at least.

LeakerLocker does not use an exploit as such, or indeed any kind of low-level tricks, but it can remotely load .dex code from its control server. So the functionality of LeakerLocker can be extended with the addition of more .dex code.

Not all data that LeakerLocker claims to access is read or leaked. It can read email addresses, random contacts, Chrome history, some text messages and calls, it will pick a picture from the camera, and read some device information. However, by default there is no evidence that the data is uploaded to a remote server. The random selection of data is merely a ploy to convince the victim that they have been compromised.

Example LeakerLocker code (credit: McAfee):

However, there is no reason why additional .dex code couldn't be deployed that zips up your data and uploads it to a remote server.

If you were to input credit card info and click “Pay”, the LeakerLocker sends a request to the payment URL with the card number as a parameter. If the payment succeeds, it shows a message saying “Your personal data has been deleted from our servers and your privacy is secured.”

If payment is unsuccessful, “No payment has been made yet. Your privacy is in danger.” is displayed and the clock continues to tick.

Do not pay!

If you have been affected by ransomware of any kind, not just LeakerLocker, DO NOT PAY. By doing so you are funding the threat actor's malicious activity and making the problem worse.

Instead, always ensure that you have multiple layers of backups that are stored outside your device, and ideally, off-site. For example, a cloud backup service like Dropbox or Google Drive.

Do you have a better way or protecting against ransomware? If so, please do leave your advice below.