An application containing the new Android ransomware family called Charger, has just been removed from the Google Play Store.
The app is called EnergyRescue and it was disguised as a battery-saving application which secretly stole a user’s SMS messages and contact list, uploaded the data to the criminals’ servers, and locked the user’s device.
After locking the device, a ransom note comes out to threaten the victims that if they didn’t pay, the hackers would publish their sensitive data on Internet.
“You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.”
As the security experts didn’t notice the application exfiltrating some of the data the criminals threatened to expose, it appeared that some of the threats were empty.
The type of ransomware which makes false threats to expose a user’s private data has been referred to as “doxware.”
The Check Point security team claimed that they came across this threat after their mobile security app had quarantined the device of a client that installed the application.
When analyzing the ransomware, the experts found a few significant things, compared to previous Android ransomware families. The most significant one was how the ransomware infected devices.
Usually, other threats rely on droppers to gain a foothold on infected devices. These are small apps, with limited malicious behavior, but which would bypass Google’s Play Store security checks, and ask users for administrator rights after that.
In case they’d convince users to grant them admin rights, these applications would download the real ransomware later on.
According Check Point, the EnergyRescue application included all the malicious code right from the get-go.
Regarding Charger, the security experts claim that its developers have done a good job at disguising the ransomware’s malicious behavior.
First, the criminals encoded all strings as binary arrays, making it hard to inspect the application, even by veteran security researchers.
Second, they loaded malicious code from encrypted resources, where Google’s detection engine could not reach to inspect.
Third, they flooded the phone with useless commands, in order to hide malicious operations from a human’s manual inspection.
As a last thing, Charger included code which would check if the application ran inside Android emulators, and stop the ransomware from triggering. Most probably, it is the feature which let Charger bypass the Play Store’s security scanner – Bouncer.
In addition, Charger included checks that prevented the ransomware from executing if the phone’s owner was from countries such as Belarus, Russia, or the Ukraine.
“This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries,” stated the two Check Point researchers who analyzed the parasite.