Security researchers have identified a new and evasive mobile ransomware strain called Charger on the Google Play app store. The Charger malware was bundled with an SMS-snooping app called EnergyRescue that pawned itself off as a battery management utility, according to Check Point security researchers.
Check Point says it found the malicious app three weeks ago and that since then, Google has removed the offending software from Google Play. The app, researchers said, represents a bold win for cybercriminals peddling ransomware via Google Play. By a large majority, most Android malware is distributed via third-party apps stores.
“Charger could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins,” wrote Oren Koriat and Andrey Polkovnichenko, both Check Point security analysts.
“EnergyRescue has the largest arsenal of evasion methods we’ve seen to date,” Check Point researchers told Threatpost. According to Koriat and Polkovnichenko, most malware that does manage to make it onto Google Play is malicious adware where cybercriminals profit via ads and app referrals. However, with Charger, the target is the user.
The infection path began after downloading the EnergyRescue app which steals the target’s contacts and SMS messages. Next, the app attempts to trick phone owners into granting EnergyRescue admin permissions. “If granted, the ransomware locks the device and displays a message demanding payment,” according to their research report “Charger Malware Calls and Raises the Risk on Google Play.”
Payment of 0.2 Bitcoins ($180) is demanded. A rambling ransom note makes a number of different demands and threats. “You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes,” reads the ransom note.
Attackers also guarantee “files will be restored” after they receive payment and that they will delete all personal data they have in their possession. “We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.”
Attackers do not encrypt data on the targeted devices, rather the phone is locked – only displaying the ransom note demanding money.
“Most malware found on Google Play contains only a dropper that later downloads the real malicious components to the device. Charger, however, uses a heavy packing approach which makes it harder for the malware to stay hidden, so it must compensate with other means,” wrote Koriat and Polkovnichenko.
That evasive compensation includes techniques such as encoding strings into binary arrays, making it hard to inspect them. Another tactic includes “loading code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect.” Making it even more difficult to decipher the app’s true intent, code is flooded with meaningless commands that mask the actual commands passing through, according to researchers. Lastly, the malware will stay dormant if it detects being run in an OS emulator.
“This means that static analysis engines, such as Bouncer, will not be able to analyze the encrypted parts of the code which contain the malicious activities,” researchers said.
Check Point said mobile ransomware is still a relatively new phenomena with most infections taking place via side-loaded apps from third-party app stores.
In a brief statement to Threatpost Google stated: “We appreciate Check Point’s efforts to raise awareness about this issue. We’ve taken the appropriate actions in Play, and will continue to work closely with the research community to help keep Android users safe.”
Google said apps on Google Play are specifically reviewed for compliance against our Google Play Developer Content Policy and Developer Distribution Agreement, which prevents bad actors from passing off apps impersonating legitimate companies or that exhibit deceptive behavior. On its Android security page it touts: “All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app developer in Google Play and suspend those who violate our policies. So even before you install an app, you know we’ve checked that it’s safe.”
Still Google points out it also relies “on the community of users and developers to flag apps for additional review.”
Check Point said as far as it’s aware EnergyRescue is the only app that contained the Charger ransomware. “We believe this was only an effort to test the waters by the malware authors, and we expect to see more of it in the future,” said Check Point.
On Monday, Check Point disclosed it found a HummingBad variant, known as HummingWhale that was being distributed via 20 camera, music, flashlight and adult apps on Google Play.