Data-stealing Android ransomware removed from Google Play store

'Charger' ransomware threatened to sell victims' data if they didn't pay up in Bitcoin.
Written by Danny Palmer, Senior Writer

Mobile ransomware dubbed 'Charger' somehow slipped through security to become available via Google Play.

Image: Getty Images/iStockphoto

A nasty form of mobile ransomware which steals data from its victims has been discovered on and now removed from the official Google Play store for Android.

Dubbed 'Charger' by cybersecurity researchers at Check Point, the zero-day mobile ransomware was found embedded in EnergyRescue, an app supposedly designed to enhance battery-life of phones and tablets. Charger was detected on the device of an employee at a CheckPoint customer, who had downloaded the malicious app from Google Play.

Once downloaded from the store, the app initially steals contact data and text messages from the device before asking the user for admin permissions, which if granted will run the ransomware, locking the device and displaying a note demanding payment.

Like many cybercriminals behind ransomware schemes, the malicious actors behind Charger demand a ransom in Bitcoin, asking for 0.2 Bitcoin -- worth around $180 -- in return for unlocking the device.

The message also threatens the victim, telling them that if they don't pay, the perpetrators will sell a portion of the information stored on the phone on the 'black market' every 30 minutes.

"We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family," the ransom note claims.

This is far from the first instance of Android malware and isn't even the first time it has been being discovered on the Google Play store. But in most cases, the malicious payload is hidden deep within the application code, only running at a later time.

Charger, on the other hand, gets to work much faster and uses techniques such as ecoding strings into binary arrays -- making them harder to inspect -- and loading code from encrypted resources in order to avoid detection.

Researchers haven't discovered who is behind the ransomware, but when installed on a device, Charger checks its location settings. If the device is located in the Ukraine, Russia, or Belarus, it doesn't run the malicious code, suggesting the cybercriminal operation behind the ransomware scheme might be based out of Eastern Europe.

Android's security team was alerted to the existence of Charger and the EnergyRescue app is no longer available on the Play Store. The malware is thought to have only infected handful of devices.

"We appreciate Check Point's efforts to raise awareness about this issue. We've taken the appropriate actions in Play, and will continue to work closely with the research community to help keep Android users safe," a Google spokesperson told ZDNet.

Read more on cybercrime

Editorial standards