There is a new ransomware in Google Play embedded in an app called EnergyRescue that can steal contacts and SMS messages from the user’s device and asks for admin permissions, researchers said.
If it ends up getting the permission, the ransomware will lock the device and show a message demanding payment, said researchers from Check Point Mobile Threat Prevention.
Apparently, an Android device user unknowingly downloaded and installed the ransomware called Charger and the Check Point researchers detected and quarantined the device.
The early detection enabled them to disclose the findings to Android’s Security team which added the malware to Android’s built-in protection mechanisms before it began to spread.
The message demanding payment said:
“You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.”
The ransom demand is for 0.2 Bitcoins or roughly $180.
Charger uses a heavy packing approach, which makes it harder for the malware to stay hidden. Charger’s developers compensated for this by using different techniques to boost its evasion capabilities so it could stay hidden on Google Play for as long as possible.
The techniques include:
• Encoding strings into binary arrays, making it hard to inspect them.
• Loading code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect.
• Checking whether it is being run in an emulator before it starts its malicious activity.