While WannaCry and Petya ransomware infected a wide range of systems all over the world, now attackers are targeting Android users via a new ransomware dubbed as LeakerLocker. This Android ransomware is spreading through rogue applications that disguise themselves as authentic apps.

LeakerLocker ransomware doesn’t encrypt files but transfers the personal data of smartphone to attackers cloud. After that, the attacker starts to threaten the victim as all the personal information will be sent to the telephone as well as email contact list within 72 hours if the ransom of $50 is not paid.

LeakerLocker ransomware

The information includes photos, contact numbers, SMS record, Facebook messages, browsing history, GPS location history and Email contents.

The researcher team of McAfee reported Google about this ransomware found in two rogue apps “Wallpapers Blur HD” and “Booster and Cleaner Pro”. These applications are available in Google Play Store and installed by thousands of users. Even the rating of these apps is fraudulent.

It is noticed that the wallpaper app requests for irrelevant information while installing it. Generally, both apps work normally but perform the malicious activity in secret mode.

How the LeakerLocker Works?

When an Android user installs the “Booster and Cleaner Pro” and executes it for the first time, the Trojan shows the functions of the app and asks for providing more access to more information. Generally, users get tempted towards the functionality to boost their device.

Furthermore, the receiver com.robocleansoft.boostvsclean.receivers.BoorReceiver initiates AlarmManager, which starts the malicious activity com.robocleansoft.boostvsclean.AdActivity. Consequently, the LeakerLocker ransomware locks the device screen and starts gathering personal information stored on the device. It can load .dex code remotely from the control server.

As per the researchers of McAfee, “When a victim inputs a credit card number and clicks “Pay,” the code send a request to the payment URL with the card number as a parameter. If the payment succeeds, it shows the information “our [sic] personal data has been deleted from our servers and your privacy is secured.” If not successful, it shows “No payment has been made yet. Your privacy is in danger.” The payment URL comes from the server; the attacker can set different destination card numbers on the server. “

Although Google has implemented the Panic Detection mode in Android 7.1, what about the other versions of Android? Android users are recommended to install apps from the Google Play Store, but even the apps of Play store are violating the policies and becoming threats for the users.

We recommend Android users to check the requested permissions carefully installation to avoid unauthorized access to your confidential data. If anyone has become the victim of such ransomware attack, he/she shouldn’t pay ransom to the attackers as it will promote the cyber attacks.


Please enter your comment!
Please enter your name here