Android Ransomware App Hosted in Google Play Infects Unsuspecting Android User
“Mobile presents an easy target for cyber criminals because it is an attack surface that is open and extremely difficult to defend once an app has been released.”
Google Play, the official market for Android apps, was caught hosting a ransomware app. In their blog post, Check Point explains how a 0day mobile ransomware from Google Play dubbed “Charger” has infected at least one real-world handset. This clearly goes to show how advanced behavioral detection is fast becoming a pivotal cause of security breaches.
Charger was hidden inside an app called EnergyRescue, an app that posed as a battery-saving application. Once installed, Charger can access SMS contacts and prompts the user to grant it administrator rights. It checks the local settings of the device first and wouldn’t execute the app’s malicious payload if the device is located in Ukraine, Russia, or Belarus. This is probably a safety measure against potential legal action.
If the unsuspecting user agrees, the malware locks the device and displays the following:
You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.
The reported amount asked for was $180 in the form of 0.2 Bitcoins. This seems to be a ransom figure significantly higher than, what other forms of ransomware, often demand.
It is an interesting twist that it gives the user an ultimatum. The time limit assumes that the user has access to Bitcoin or is able to buy them that quickly. If the user buys them using the mobile device then the payment data stands vulnerable.
This malware also differs from other malware in that it contains a ‘heavy packing approach’. The malware is present in full and does not look to download malicious components at a later time.
Checkpoint explains that the malware uses several advanced techniques to hide its real intentions and makes it harder to detect.
It encodes strings into binary arrays, making it hard to inspect them.
It loads code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect. The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through.
It checks whether it is being run in an emulator before it starts its malicious activity. PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid.
According to Check Point, the developers of Charger weren’t looking to make an impact with their release. Instead, in comments made to Ars Technica, Check Point explains that the developers were probably looking to only ‘test the waters’ on this occasion. This seems to imply, that had the plan executed successfully, it could pave way for an evolved version.
At present, Check Point also explained that only a “handful” of downloads of the Energy Rescue app occurred during the four days that the app was available via the Google Play Store. Although, in spite of a limited number of downloads, the blog posting does confirm that Charger was “detected and quarantined” on an Android device.
Mobile malware has become an increasing problem for enterprises. The use of Bring Your Own Device (BYOD) has expanded massively. Organizations now prefer a desktop PC over other forms of computing. Without proper controls, BYOD means that mobile devices are becoming a lucrative target for criminals to penetrate the enterprise.
For now, users must be aware of the apps they install, especially the permissions it requests. Regular backups and exercising caution are necessary, especially with the rise ransomware is on now.