Ransomware on Google Play

Malware slipping through to become available on Google Play, Android’s marketplace, is nothing new.  Now, however, a ransomware has snuck through, and it threatens to do a lot of damage.

Named Charger, the ransomware took great pains to avoid detection.  It comes packaged in an app called EnergyRescue and employs a lot of features to avoid detection by Bouncer, Google Play’s app scanner.  Code is loaded dynamically from encrypted resources and runs a bunch of useless commands in order to hide the malicious ones.  It also checks to see if it’s being run in an emulator and won’t run the ransomware code if it is.

Once installed, Charger steal contacts and other information then displays the ransom message:

You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.

The cost of the ransom is about $180.

image_pdfimage_print