An app that was available to members of the public for download from the Google Play store has been discovered to have contained ransomware. In recent days, Google acted to remove the ransomware app from its Play Store, however it remains unknown how many individuals had already been infected.
The malicious app concerned is named EnergyRescue. Its raison d’etre was supposedly to assist users in managing the use of their smartphone batteries. Unfortunately, it is now clear that that was not the true purpose of the app. CheckPoint researchers have confirmed that the app was malicious and that it contained a form of malware labled ‘Charger’. The malware is an information stealer and was being used to steal text messages from devices that had bee infected. The Charger malware is also capable of stealing other private information contained in infected Android phones and has a ransomware component that can lock users’ phones after information is stolen.
Users reported that they were subsequently presented with a ransom demand for a 0.2 Bitcoin (i.e. roughly $180) payment to unlock their device. They were threatened that if the ransom demand was not paid, the phone would remain locked indefinitely if not forever. Turning off the device concerned is ineffective. The only possibility for users to recover their data and restore their smartphones was to pay the ransom demand.
Atlternative Android app stores are known to lack the strict controls that Google employs on its Play store. A number or apps from said stores have in the past been discovered to contain both malware and ransomware, however this is the first occasion in which a ransomware app has been found on Google Play.
Very occasionally, malicious apps managed to allude Google’s security controls, but previously those apps did not contain malware. In past incidents the apps involved were found to contain code that downloads malware from servers that are maintained by the attackers. Nonetheless in the present case the app was discovered to contain all files necessary in order to steal information and block victims’ handsets.
Although the origin of the ransomware app remains unknown, it is understood that the authors are based in either Russia, Ukraine, or Belarus. It is possible for experts to decipher this because the Charger malware includes code that verifies where the device is located. Should the device be in any of those countries the malware will not function. This measure was in all probability incorporated in order to permit the attackers to escape prosecution in the event that they are caught.
CheckPoint believe that the developers of Charger made every effort to make the malware evasive so as to ensure that it could stay hidden on Google Play for the maximum period possible.
While it must be stressed that the appearance of malicious apps in the Google Play Store remains rare, this incident indicates that users are not 100% safe no matter which app store they use. It remains significantly safer to only use official app stores, however there is never a guarantee that smartphones cannot be infected when using official app stores. Business customers beware. Gaps in mobile security gaps can be – and indeed are – exploited by cyber attackers. These might also be exploited to obtain access to the networks that serve corporate mobile devices.