Security researchers have detected a new zero-day mobile ransomware dubbed Charger hidden inside an app called EnergyRescue on the Google Play Store. According to the Check Point Mobile Threat Prevention team, the infected app steals contacts and SMS messages from a user's device and requests administrative permissions.
If an unsuspecting user grants them, the Charger ransomware then locks the device and displays the following message demanding ransom to unlock the victim's device:
"You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc... We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family."
The infected app demanded 0.2 Bitcoins, worth about $180 to be made to a specific Bitcoin account. Researchers said they have not identified any payments made to that account so far, but noted that the ransom demand is much higher than that previously seen in mobile ransomware.
"This incident demonstrates how malware can be a dangerous threat to your business, and how advanced behavioural detection fills mobile security gaps attackers use to penetrate entire networks," Check Point mobile cybersecurity analysts Oren Koriat and Andrey Polkovnichenko wrote in a blog post.
In an email to Ars Technica, Check Point researchers said the app was only available on the Google Play Store for four days and garnered a "handful" of downloads.
"We believe the attackers only wanted to test the waters and not spread it yet," the researchers wrote.
The Check Point team said they have quarantined the Android device of an employee who downloaded and installed the app. They added that the security firm's Analysis and Response Team has already communicated its findings to Google's Security team who immediately removed the app.
"Adware commonly found on Play collects profits from ad networks, but mobile ransomware inflicts direct harm to users. Like FakeDefender and DataLust, Charger could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins," the researchers said.
The firm found that Charger checks a device's local settings as well and would not run the app's malicious malware if it found the device was located in Ukraine, Russia or Belarus. The researchers said this was possibly done to keep its developers from being prosecuted in their own countries or extradited.
"Most malware found on Google Play contains only a dropper that later downloads the real malicious components to the device," the researchers said. "Charger, however, uses a heavy packaging approach which is harder for the malware to stay hidden, so it must compensate with other means."
They added the developers of the malicious Charger ransomware "gave it everything they had to boost its evasion capabilities" to stay hidden and avoid being detected on the Google Play Store for as long as it could.
Earlier this week, Check Point said they detected a new variant of the notorious HummingBad malware dubbed "HummingWhale" embedded in more than 20 apps on Google Play. After informing the Google Security team, those apps were removed.