Skip to content ↓ | Skip to navigation ↓

We all know that ransomware is a growing problem for businesses and home users alike, and that most of it is targeted against Windows users.

And we’re also familiar with warnings to avoid downloading Android apps from third-party marketplaces rather than officially-sanctioned ones such as the Google Play marketplace.

But infosecurity is not a world of absolutes, and it’s not unusual for attacks to “break the rules” and challenge our expectations.

That’s just what has happened to one unsuspecting worker, who installed an app called “EnergyRescue” onto his Android device directly from the Google Play store.

As researchers at Check Point report, the Charger malware was hidden inside the app download, stealing the infected user’s address book and snooping on SMS messages.

And then, to add insult to injury, the Charger malware locks the infected device and attempts to extort a ransom from its victims:

You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.

The ransom demand asks for 0.2 Bitcoin (approximately US $180), a higher figure than seen in other similar attacks against Android users. The good news, so far, is that there has been no evidence seen that the extortionists have made any money out of the attack.

Interestingly, the Charger ransomware does not appear to deploy its destructive payload if it determines that it is running on an Android device based in Belarus, Russia or Ukraine. Make of that what you will – might it be that the authors of the malware are themselves based in that neck of the woods, and that they have no intention of encouraging the local authorities to pursue an investigation against them?

Your guess is as good as mine, but that certainly seems a plausible explanation.

Charger isn’t the first piece of Android ransomware – heck, it isn’t even the first malware to be distributed via the official Google Play store – but the prevalence of such attacks still falls far short of what we see happening on the Windows platform.

The advice for Android users remains the same despite this incident. Generally, apps you download from official app marketplaces can be considered safer than those you install from third-party sites, but that doesn’t mean you should be complacent about your security.

Always ask yourself whether an app really requires the permissions that it requests at installation, and refuse them if you feel uncomfortable with the data it is trying to collect.

Furthermore, check the published reviews and ratings in the app store to confirm whether an app has a poor reputation, or if others are already raising a red flag that something suspicious is going on.

And, of course, make sure that any precious data you have on your devices is being securely backed up – so should disaster strike you have a means of recovery that doesn’t involve paying the criminals any ransom.

Check Point raised the alarm after its security software detected the malware on a customer’s smartphone, and Google has since removed the app from its online store.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.