Ransomware App Found in Google Play Store

Check Point researchers recently found mobile ransomware embedded in an app called EnergyRescue, which was available from the official Google Play store.

The malware, called Charger, steals contact info and SMS messages from infected devices, and requests admin permissions.

If those permissions are granted, the ransomware locks the device and demands 0.2 Bitcoins (approximately $180) in payment with the warning, “You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes.”

“Similar to other malware seen in the past, Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia or Belarus,” the researchers write. “This is likely done to keep the developers from being prosecuted in their own countries or being extradited beween countries.”

To make it harder to detect, the researchers noted, the malware used the following techniques:

  • It encodes strings into binary arrays, making it harder to inspect them.
  • It loads code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect. The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through.
  • It checks whether it is being run in an emulator before it starts its malicious activity. PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid.

The researchers disclosed their findings to the Android Security Team, which removed the infected app and updated its defenses to detect the Charger malware.

Tripwire security researcher Craig Young told eSecurity Planet by email that with 2.2 million apps in the Google Play store, it’s all but inevitable that some bad apples will get through. “Users can still trust the Google Play Store, but need to keep in mind a few tips to stay safe,” he said. “First of all, you should never ever grant administrator permission to any application without absolute trust for why it is needed. Also, starting with the 2015 release of Android 6, applications started requesting permission at run time rather than install, so it is very apparent when an app tries to steal contacts or other personal data.”

“Unfortunately, only a little over 30 percent of Android devices are running this version or newer, due to many low-end phones being neglected by vendors with respect to providing updates,” Young added. “This is why it’s important to buy Android devices from vendors which made commitments to keeping the product up to date for a specified amount of time.”

A recent Ponemon Institute survey of 593 IT and IT security practitioners, sponsored by Arxan and IBM Security, found that while 60 percent of respondents acknowledged having experienced a security incident due to an insecure mobile app, 44 percent are taking no steps to prevent such attacks.

For IoT apps, the situation is even worse — respondents said IoT apps are harder to secure (84 percent) than mobile apps (69 percent), and 55 percent of respondents said there’s a lack of quality assurance and testing procedures for IoT apps.

Just 30 percent of respondents said their organization allocates sufficient budget to protect mobile apps and IoT devices.

“Mobile and IoT applications continue to be released at a rapid pace to meet user demand,” IBM Security global executive security advisor Diana Kelley said in a statement. “If security isn’t designed into these apps there could be significant negative impacts. Organizations are at risk and cybercriminals know where the soft spots are. Raising awareness of application security in the enterprise is a critically important first step toward a more secure future for businesses and consumers.”

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles