Google Play has been hit by new ransomware that steals contacts and SMS messages from the user's device.
The malware was recently discovered by Israeli-based security solutions vendor Check Point Software Technologies. The company says it detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed the zero-day mobile ransomware from Google Play dubbed "Charger."
According to Check Point, this incident demonstrates how malware can be a dangerous threat to a business, and how advanced behavioural detection fills mobile security gaps attackers use to penetrate entire networks.
Charger was found embedded in an app called EnergyRescue. The infected app steals contacts and SMS messages from the user's device and asks for admin permissions. If granted, the ransomware locks the device and displays a message demanding payment:
"You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. We give 100% guarantee that all files will restore after we receive payment. We will unlock the mobile device and delete all your data from our server! Turning off your phone is meaningless, all your data is already stored on our servers! We still can sell it for spam, fake, bank crime etc... We collect and download all of your personal data. All information about your social networks, bank accounts, credit cards. We collect all data about your friends and family." (sic)
Android, which has an 86.6% market share, according to IDC, made headlines recently with attackers increasingly targeting the platform.
Last year, a million Google accounts were compromised in a massive fraud campaign exploiting Android devices and Google Play.
At the heart of the campaign was a new variant of Android malware dubbed Gooligan, concealed in dozens of Android apps that exploit two unpatched flaws in Android to root infected devices.
Last year also saw a new form of Android Trojan malware capable of attacking the routers controlling the wireless networks of its victims, leaving them vulnerable to further cyber attacks, fraud and data theft.
Dubbed 'Switcher Trojan', the malware uses unsuspecting Android device users as tools to redirect all traffic from WiFi-connected devices on the network into the hands of cyber criminal attackers.
Check Point notes the Charger ransom demand for 0.2 Bitcoins (roughly $180) is a much higher ransom demand than has been seen in mobile ransomware so far.
By comparison, it adds, the DataLust ransomware demanded $15. "Payments are made to a specific Bitcoin account, but we haven't identified any payments so far," says Andrey Polkovnichenko, security researcher at Check Point.
He explains the malware uses several advanced techniques to hide its real intentions, and makes it harder to detect.
"It encodes strings into binary arrays, making it hard to inspect them. It also loads code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect. The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through.
"Charger also checks whether it is being run in an emulator before it starts its malicious activity. PC malware first introduced this technique which is becoming a trend in mobile malware, having been adopted by several malware families, including Dendroid."
Polkovnichenko explains that adware commonly found on Play collects profits from ad networks, but mobile ransomware inflicts direct harm to users. "Like FakeDefender and DataLust, Charger could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins."
According to Polkovnichenko, similar to other malware seen in the past, Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus. He believes this is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries.
"Most malware found on Google Play contains only a dropper that later downloads the real malicious components to the device. Charger, however, uses a heavy packing approach which makes it harder for the malware to stay hidden, so it must compensate with other means. The developers of Charger gave it everything they had to boost its evasion capabilities and so it could stay hidden on Google Play for as long as possible."
Share