Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Charger Android Ransomware Infects Apps on Google Play

A newly discovered piece of Android ransomware embedded in apps available on Google Play threatens to sell a victim’s personal data on the black market if they don’t pay, Check Point security researchers warn.

A newly discovered piece of Android ransomware embedded in apps available on Google Play threatens to sell a victim’s personal data on the black market if they don’t pay, Check Point security researchers warn.

Dubbed Charger, the threat was found embedded in an application called EnergyRescue, and had the ability to steal contacts and SMS messages, while also asking for admin permissions on the device. If permissions are granted, the ransomware locks the device and displays a message demanding payment.

While threatening to sell victim’s personal information on the black market, the malware authors also claim that all of the victim’s data has been already saved on an attacker-controlled server. The miscreants say that the stolen information includes social network details, bank accounts, credit cards, as well as all data about the victim’s “friends and family.”

The demanded ransom is 0.2 Bitcoins (around $180), which “is a much higher ransom demand than has been seen in mobile ransomware so far,” Check Point notes. Previously spotted mobile ransomware such as DataLust only demanded a $15 ransom. Charger victims are asked to send the payments to a specific Bitcoin account.

With Android ransomware inflicting direct harm to users, it’s clear that Charger is yet another attempt by mobile malware developers to catch up with the PC ransomware, which has been wreaking havoc for the past couple of years. Recently, even the Tordow Android banking Trojan was seen packing data collection capabilities and ransomware-like behavior.

Charger was observed checking the infected device’s location to ensure it doesn’t run on those located in Ukraine, Russia, or Belarus, supposedly in an attempt to avoid being prosecuted in their own countries or being extradited between countries.

While other malware in Google Play uses a dropper to download the malicious payload, Charger uses a heavy packing approach, which makes it harder for it to stay hidden. However, the ransomware authors did boost its evasion capabilities to ensure it can stay hidden in Google Play: the malware encodes strings into binary arrays to make it hard to inspect them, loads code from encrypted resources dynamically, and checks whether it runs in an emulator before running its routine.

Advertisement. Scroll to continue reading.

According to Check Point, most detection engines cannot penetrate and inspect dynamically-loaded code, and the authors added an extra layer of protection by flooding the code with meaningless commands to mask the actual commands passing through. The researchers also point out that more and more mobile malware is running checks to avoid running in emulators and virtual machines, just as it happens in the PC malware landscape.

Related: Updated Tordow Android Malware Gets Ransomware Capabilities

Related: Millions Download HummingBad Variant via Google Play

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.