Shocked expression
LeakedLocker is a form of doxware which threatens to release personal data iStock

Thousands of Android users may be at risk to a newly discovered form of malware which attempts to extort victims by threatening to leak a trove of personal information including photos, website histories and text messages unless a 'ransom' is paid to the hackers.

Dubbed 'LeakerLocker' by experts from cybersecurity firm McAfee, it demands $50 (£39) per victim to prevent the release of potentially sensitive data, which also includes Facebook chats, GPS locations and email correspondence, to the device's stored contact list.

It's a departure from the traditional approach of mobile ransomware, which typically keeps sensitive files cloaked via strong encryption until a fee is paid.

This scam is known as doxware, with the hackers claiming the smartphone's data is stolen and uploaded directly to a secure server in the cloud.

Upon infection, a 'ransom' note warns: "In less than 72 hours this data will be sent to every person from your telephone and email contacts list.

"To abort this action you have to pay a modest ransom of $50. Please note that there is no way to delete your data from our secure but paying for them (sic). Powering off or even damaging your smartphone won't affect your data in the cloud."

Two apps on Google's official Play Store were found to be carrying the malware, titled "Wallpapers Blur HD" (between 5,000 and 10,000 downloads) and "Booster & Cleaner Pro" (between 1,000 and 5,000 downloads), each updated in the last three months.

Taking Booster & Cleaner Pro as an example, McAfee experts Fernando Ruiz and ZePeng Chen explained in their analysis that the malicious payload is only able to work if the victim permits a slew of heightened permissions upon installation.

When launched for the first time, the fake booster app – advertised as a way of speeding up a device – appears to be legitimate however its covert activity quickly kicks into gear by locking down the victim's home screen with an overlay page displaying the ransom note.

It has the capability of displaying private information (because the victim unwittingly granted it access) in the background. LeakerLocker does not use any mobile exploits however can remotely add malicious code to help it "avoid detection in certain environments".

In its report, McAfee was unable to provide concrete analysis about whether the compromised files were actually sent to an external server. The hackers may be scammers due to the fact "not all the private data" the malware claimed to access was actually read, the experts said.

Facebook
LeakerLocker threatens to leak Facebook chats from victims GABRIEL BOUYS/AFP/Getty Images

What is set up is the payment channel, the researchers asserted.

If successful, a message states "our [sic] personal data has been deleted from our servers and your privacy is secured" and if not it states "no payment has been made yet. Your privacy is in danger".

It remains unknown how much money the hackers have accumulated in the scheme.

What to do if you're hit by ransomware

The experts concluded: "We advise users of infected devices to not pay the ransom. Doing so contributes to the proliferation of this malicious business, which will lead to more attacks. Also, there is no guarantee that the information will be released."

Google is aware of the malicious applications and has launched an investigation, McAfee said. Both apps have now been moved from the official marketplace.

For years, ransomware has been a lucrative underground industry for cybercriminals. It firmly hit the mainstream this year after two strains – dubbed WannaCry and NotPetya – caused computer chaos on a global scale, infecting hundreds of thousands of computers.

In November 2016, cybersecurity firm Proofpoint found a working strain of doxware dubbed "Ransoc" that was hitting desktops running the Windows operating system. It could display personal data captured from video calling software Skype and social media profiles.

"Unlike most ransomware variants, the target here is the victim's reputation rather than their files," experts wrote in a blog post at the time.