An app in the Google Play store has been discovered to have been loaded with ransomware. Google has recently removed the ransomware app from its Play Store, although it is not known how many individuals have already been infected.
The app in question is called EnergyRescue. The purpose of the app was to help users manage the use of their phone batteries. However, that was not the real purpose of the app. According to researchers at CheckPoint, the app was malicious and contained a form of malware dubbed Charger. The malware was an information stealer and was used to steal SMS messages from infected devices. The Charger malware was also capable of stealing other sensitive data from infected Android phones and had a ransomware component that would lock users’ phones after information had been stolen.
Users were then presented with a ransom demand asking for a 0.2 Bitcoin (approximately $180) ransom payment to unlock their device. If the ransom demand was not paid, the phone would remain locked forever. Powering off the device would have no effect. The only way that users could recover their data and restore their phones was by paying the ransom demand.
Third party Android app stores lack the strict controls employed by Google. Apps on those third-party stores have previously been discovered to contain malware and ransomware, although this is the first time that a ransomware app has been discovered on Google Play.
Occasionally malicious apps are snuck past Google’s security controls, but those apps typically have not contained malware. Instead they contain code that downloads malware from servers maintained by the attackers. In this case; however, the app contained all of the necessary files to steal information block victims’ devices.
While the origin of the ransomware app is not known, the authors are believed to reside in either Russia, Ukraine, or Belarus. This can be inferred because the Charger malware contains code that checks where the device is located. If the device is any of those countries the malware will not run. This is a measure most likely incorporated to allow the attackers to avoid prosecution if they are caught.
According to CheckPoint, “The developers of Charger gave it everything they had to boost its evasion capabilities and so it could stay hidden on Google Play for as long as possible.”
While malicious apps appearing in the Google Play Store are something of a rarity, this incident demonstrates that users are not entirely safe no matter which app store they use. It is still safer to only use official app stores, but there is no guarantee that devices will not be infected from using official app stores. Business users should take note. Mobile security gaps can, and are, exploited by attackers. They could also potentially be exploited to gain access to the networks to which corporate mobile devices connect.