(pc-Google Images) |
Charger has been found embedded in an app called EnergyRescue, that steals contacts and SMS messages from the user’s device and asks for admin permissions. When granted, the ransomware locks the device and displays a message demanding payment. Researchers detected and quarantined the Android device of an unsuspecting customer employee who had unknowingly downloaded and installed the ransomware. The early detection helped them to quickly inform Android’s Security team about the the findings that added the malware to Android’s built-in protection mechanisms before it began to spread, ensuring only a limited number of devices were infected.
Charger mobile ransomware uses a different approach.
Unlike most malware found on Google Play, that contains a dropper that later downloads the real malicious components to the device, Charger uses a heavy packing approach. This makes it harder for the malware to stay hidden. Charger’s developers compensated for this using a variety of techniques to boost its evasion capabilities so it could stay hidden on Google Play for as long as possible.
These included:
• Encoding strings into binary arrays, making it easier to stay incognito.
• Loading code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect. The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through.
• Checking whether it is being run in an emulator before it starts its malicious activity. PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid.
The ransom counts for 0.2 Bitcoins or roughly $180 and is much more than what has been seen earlier mobile ransomware attacks. By comparison, the DataLust ransomware demanded merely $15 and could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins.
Similar to other malware seen in the past, Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus. This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries.