Check Point’s mobile security researchers have discovered a new ransomware in Google Play, dubbed Charger.
Charger was found embedded in an app called EnergyRescue. The infected app steals contacts and SMS messages from the user’s device and asks for admin permissions. If granted, the ransomware locks the device and displays a message demanding payment.
Researchers detected and quarantined the Android device of an unsuspecting customer employee who had unknowingly downloaded and installed Charger. The early detection enabled them to quickly disclose the findings to Android’s Security team that added the malware to Android’s built-in protection mechanisms before it began to spread, ensuring only a handful of devices were infected.
Charger mobile ransomware uses a different approach
Unlike most malware found on Google Play, that contains a dropper that later downloads the real malicious components to the device, Charger uses a heavy packing approach. This makes it harder for the malware to stay hidden. Charger’s developers compensated for this using a variety of techniques to boost its evasion capabilities so it could stay hidden on Google Play for as long as possible.
- Encoding strings into binary arrays, making it hard to inspect them.
- Loading code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect. The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through.
- Checking whether it is being run in an emulator before it starts its malicious activity. PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid.
The ransom demand is for 0.2 Bitcoins or roughly $180 and is much higher than what has been seen in previous mobile ransomware attacks. By comparison, the DataLust ransomware demanded merely $15 and could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins.
Similar to other malware seen in the past, Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus. This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries.