Android security woes continue. New ransomware found on Google Play store by Check Point researchers
Researchers at security specialist Check Point have revealed a new piece of ransomware called “Charger”, which was downloaded via an infected Android app on the Google Play store.
The app in question was called EnergyRescue, and it has now reportedly been removed from the Google Play Store after the researchers alerted Google to the discovery.
The discovery of another piece of malware on Google Play is concerning as this was not a third party Android online store. But it is not the first time malware has been detected on Google Play.
Check Point said in a new blog posting that it had discovered the malware after it quarantined the Android device of an unsuspecting customer staffer who had downloaded and installed a zero-day mobile ransomware from Google Play.
“This incident demonstrates how malware can be a dangerous threat to your business, and how advanced behavioural detection fills mobile security gaps attackers use to penetrate entire networks,” wrote the researchers.
The Charger malware was embedded in an Android app called EnergyRescue, and everyone unfortunate to download the app was liable to have their contacts and SMS messages stolen from their device. The malware also seeks to gain admin privileges, and if it does, it locks then device and displays a message demanding payment.
“You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes,” reads the scammers demand.
They then go on to restore all the files after a payment and tell the victim that they have collected and downloaded all their personal data, including social networks, bank accounts, credit cards, and all the data about the victim’s friends and family.
And the scammers are apparently demanding a pretty hefty fee to unlock the device, namely 0.2 Bitcoins (roughly $180).
This, according to the researchers, is a much higher ransom demand than normal for mobile ransomware, and they point out that the DataLust ransomware for example only demanded $15 in payment.
The Charger ransomware also apparently checks the local settings of the device and does not run its malicious code if the device is located in Ukraine, Russia, or Belarus. Check Point says this is done to prevent the ransomware authors from being prosecuted in their own countries or being extradited between countries.
And Check Point warned that this Charger malware did everything in its power to remain hidden on Google Play. For example, it encoded strings into binary arrays, making it hard to inspect them. It also loaded code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect.
Check Point said that its Analysis and Response Team (ART) had disclosed their finding to Android’s Security team who took the appropriate security steps to remove the infected app.
Late last year for example Trend Micro discovered the DressCode malware in more than 400 apps on Google Play.
Prior to that malware called CallJam was removed from Google Play, where it posed as a game but made premium-rate calls in the background once installed on a phone.
Quiz: Are you a security pro?