A fake Android app that was temporarily available in the official Google Play store promises to improve mobile users' battery life, but actually distributes a newly discovered ransomware that steals contacts and SMS messages and renders devices inactive.
Dubbed Charger, the ransomware displays a ransom note message warning victims that their information – including data related to personal contacts, bank accounts, credit cards and social networking activity – has been downloaded onto a malicious server, according to a Tuesday blog post by Check Point Software Technologies, whose researchers discovered the malware approximately four weeks ago.
The note threatens to sell portions of this data data every 30 minutes unless a ransom of 0.2 bitcoins is paid, although Check Point researcher Daniel Padon told SC Media in an email interview that the company's Analysis and Response Team has not found any indications of this activity. The 0.2 bitcoin demand, which as of this posting equates to nearly $180, is an unusually stiff penalty, the blog post observed, noting that fellow mobile ransomware DataLust charges only $15.
"TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING [sic] IT FOR SPAM, FAKE, BANK CRIME etc…" the ransom note reads.
Charger is distributed via a fake utility app called Energy Rescue, which advertises itself as tool that makes your battery work longer by scanning for and fixing inactive weak cells. "The malware uses a complex packing system to hide the malicious functionality in an encrypted part of the code. Simple static analysis engines are unable to penetrate this package and simply allow the malware through," Padon said, explaining how Charger managed to worm its way into the Google Play store.
The malware is also unusual in that it carries its own malicious payload instead of relying on a dropper or downloader component, Check Point reported. To avoid detection, it employs a number of evasive techniques, including encoding strings into binary arrays, dynamically loading code from encrypted resources (the code is also obfuscated), and scanning for virtual environments before commencing malicious activity.
Charger refuses to execute if it determines that an infected device is located in Ukraine, Russia or Belarus, which hints that the perpetrator is likely from this region and does not want to incite an investigation by local authorities.
According to the blog post, Google removed the infected app from its app store and added the malware to Android's built-in protection mechanisms.
SC Media has reached out to Google and will update the story if it receives comment.