03:55 PM
Connect Directly

Google Removes Ransomware-Laden App From Play Store

Incident is believed to be first time threat actors have snuck ransomware into Google's official mobile app store.

A ransomware sample that was recently discovered embedded in an Android application on Google Play Store suggests that threat actors may have found a dangerous new way to get extortion malware on mobile devices.

The malware, dubbed Charger, is believed to be the first instance of ransomware being successfully uploaded to Google's official mobile application store. So far there have been no reported incidents of similar uploads on Apple’s App Store.

Security vendor Check Point software found Charger embedded in an Android batter- saving app called EnergyRescue when inspecting a quarantined device belonging to an employee of one of its enterprise clients.

Google has since purged the rogue application from Play Store so it no longer poses a threat to Android users. Still, the incident is a reminder that official mobile app stores, while considered much safer than third-party stores, are not immune from security risks and that enterprise users downloading apps from such stores cannot automatically assume the software will be malware free.

In an alert, Check Point described Charger as malware designed to surreptitiously steal SMS messages and contact information from an infected device, lock up the device, and then demand a ransom in return for unlocking it.

The extortion note threatened victims that all personal data extracted from their phone would be sold to cybercriminals if they didn't pay a ransom of 0.2 Bitcoin, or around about $180. The note reassured victims that their locked files would be restored after payment was received and warned them that it was futile to power off and restart their phone.


The ransom amount that the authors of Charger want is considerably higher than the $15 ransom demanded by those behind DataLust, another recent and prolific Android ransomware sample that targeted users of porn apps, Check Point security researchers Oren Koriat and Andrey Polkovnichenko wrote.

Malware previously uploaded to Google Play typically only contained a dropper for downloading the real payload from elsewhere on victim devices. EnergyRescue, on the other hand, contained all the malicious code for Charger with it, making it bulky and somewhat easy to spot, the researchers said. So in order to compensate, the authors of the malware employed multiple advanced techniques to evade detection, they added.

For example, the malware encoded strings into binary arrays making it harder for researchers to inspect them. The malware also dynamically loaded code from encrypted resources, preventing detection engines from inspecting it. Charger also checked to see if it was being run in an emulator before beginning malicious activity.

In a statement, a Google spokesman thanked Check Point for noticing the problem and disclosing it. "We've taken the appropriate actions in Play, and will continue to work closely with the research community to help keep Android users safe," the statement noted.

Like Apple, Google has implemented a variety of measures over the past several years to prevent people from uploading malicious and potentially harmful apps to Play Store. The company uses a combination of automated and manual inspections and ratings systems to vet applications for security issues before permitting them to be uploaded.

Google also has a Google Play App Security Improvement (ASI) program under which it offers guidance to help developers avoid common security pitfalls so their apps cannot be maliciously exploited. Earlier this month, Google claimed that the ASI program has helped about 90,000 Android app developers fix security problems in some 250,000 apps over the past few years.

The fact that attackers are still able to upload malware like Charger indicates that even such measures as an ASI are not always enough.

"This incident indicates that attackers are getting better in developing and employing advanced evasion techniques that manage to bypass the ever improving security measures," says Daniel Padon, a security researcher at Check Point.  

"Users should not rely on official app stores as their sole protection against malware," he says. They should also consider other measures such as threat emulation and detection, he says.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
X ray tech
X ray tech,
User Rank: Apprentice
1/25/2017 | 4:50:14 PM
MS Outlook Support
Thanks. To keep updating with this news. Google have to do this, Because there are so many unwanted app on app store that cause your security problems.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.