Ransomware App Found on Google Play

Written by

A ransomware app found its way into Google Play and managed to make at least one victim, according to revelations from Check Point. The app has since been removed by the Android team.

In a blog post on the company’s website mobile cybersecurity analysts Oren Koriat and Andrey Polkovnichenko explained how, several weeks ago, Check Point Mobile Threat Prevention detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed zero-day mobile ransomware from Google Play dubbed “Charger”, which was found embedded in an app called EnergyRescue.

“This incident demonstrates how malware can be a dangerous threat to your business, and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks,” they added.

Apparently, the infected app steals contacts and SMS messages from the user’s device and asks for admin permissions. If granted, the ransomware locks the device and displays a message demanding payment of 0.2 Bitcoins (roughly $180).

The malware uses several advanced techniques to hide its real intentions and makes it harder to detect:

•    It encodes strings into binary arrays, making it hard to inspect them.
•    It loads code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect. The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through.
•    It checks whether it is being run in an emulator before it starts its malicious activity. PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid.

Tim Erlin, Sr director, product management at Tripwire, said:

“Both Google and Apple put in quite a lot of effort to keep malicious apps out of their respective repositories, but no system is perfect. Criminals are constantly testing the defenses in place with new techniques to sneak malicious apps past.”

Craig Young, security researcher at Tripwire, added that with 2.2 million apps in Google's Play Store, it is inevitable that some bad apples will get through, and whilst users can still trust the Play Store, they need to keep in mind a few tips to stay safe.

“First of all, you should never ever grant administrator permission to any application without absolute trust for why it is needed. Also starting with the 2015 release of Android 6, applications started requesting permission at run time rather than install so it is very apparent when an app tries to steal contacts or other personal data.

Unfortunately, he continued, only a little over 30% of Android devices are running this version or newer due to many low-end phones being neglected by vendors with respect to providing updates.

“This is why it's important to buy Android devices from vendors with made commitments to keeping the product up to date for a specified amount of time. In today's market, the best choice for that would be Google's own Pixel phone which has essentially replaced their Nexus line.

“It's also interesting to note that while this user was apparently running antivirus software, they were still infected. While many people perceive antivirus as a critical security control, many security professionals have been questioning its value for many years,” Young said.

What’s hot on Infosecurity Magazine?