A newly discovered piece of Android ransomware embedded in apps available on Google Play threatens to sell a victim’s personal data on the black market if they don’t pay, Check Point security researchers warn.
Dubbed Charger, the threat was found embedded in an application called EnergyRescue, and had the ability to steal contacts and SMS messages, while also asking for admin permissions on the device. If permissions are granted, the ransomware locks the device and displays a message demanding payment.
While threatening to sell victim’s personal information on the black market, the malware authors also claim that all of the victim’s data has been already saved on an attacker-controlled server. The miscreants say that the stolen information includes social network details, bank accounts, credit cards, as well as all data about the victim’s “friends and family.”
The demanded ransom is 0.2 Bitcoins (around $180), which “is a much higher ransom demand than has been seen in mobile ransomware so far,” Check Point notes. Previously spotted mobile ransomware such as DataLust only demanded a $15 ransom. Charger victims are asked to send the payments to a specific Bitcoin account.
With Android ransomware inflicting direct harm to users, it’s clear that Charger is yet another attempt by mobile malware developers to catch up with the PC ransomware, which has been wreaking havoc for the past couple of years. Recently, even the Tordow Android banking Trojan was seen packing data collection capabilities and ransomware-like behavior.
Charger was observed checking the infected device’s location to ensure it doesn’t run on those located in Ukraine, Russia, or Belarus, supposedly in an attempt to avoid being prosecuted in their own countries or being extradited between countries.
While other malware in Google Play uses a dropper to download the malicious payload, Charger uses a heavy packing approach, which makes it harder for it to stay hidden. However, the ransomware authors did boost its evasion capabilities to ensure it can stay hidden in Google Play: the malware encodes strings into binary arrays to make it hard to inspect them, loads code from encrypted resources dynamically, and checks whether it runs in an emulator before running its routine.
According to Check Point, most detection engines cannot penetrate and inspect dynamically-loaded code, and the authors added an extra layer of protection by flooding the code with meaningless commands to mask the actual commands passing through. The researchers also point out that more and more mobile malware is running checks to avoid running in emulators and virtual machines, just as it happens in the PC malware landscape.
Related: Updated Tordow Android Malware Gets Ransomware Capabilities
Related: Millions Download HummingBad Variant via Google Play