A nasty form of mobile ransomware which steals data from its victims has been discovered on and now removed from the official Google Play store for Android.
Dubbed 'Charger' by cybersecurity researchers at Check Point, the zero-day mobile ransomware was found embedded in EnergyRescue, an app supposedly designed to enhance battery-life of phones and tablets. Charger was detected on the device of an employee at a CheckPoint customer, who had downloaded the malicious app from Google Play.
Once downloaded from the store, the app initially steals contact data and text messages from the device before asking the user for admin permissions, which if granted will run the ransomware, locking the device and displaying a note demanding payment.
Charger, on the other hand, gets to work much faster and uses techniques such as ecoding strings into binary arrays -- making them harder to inspect -- and loading code from encrypted resources in order to avoid detection.
Researchers haven't discovered who is behind the ransomware, but when installed on a device, Charger checks its location settings. If the device is located in the Ukraine, Russia, or Belarus, it doesn't run the malicious code, suggesting the cybercriminal operation behind the ransomware scheme might be based out of Eastern Europe.
Android's security team was alerted to the existence of Charger and the EnergyRescue app is no longer available on the Play Store. The malware is thought to have only infected handful of devices.
"We appreciate Check Point's efforts to raise awareness about this issue. We've taken the appropriate actions in Play, and will continue to work closely with the research community to help keep Android users safe," a Google spokesperson told ZDNet.