"Charger" was found embedded in an app called EnergyRescue.
"Charger" was found embedded in an app called EnergyRescue.

Researchers at Check Point detected and quarantined a zero-day mobile ransomware on the Android device of a customer, according to a company blog post.

The suspect malware, dubbed "Charger," was found embedded in an app called EnergyRescue downloaded from Google Play. The polluted app is capable of siphoning out contacts and SMS messages from the user's device and requests admin permissions, that, if awarded, will trigger the ransomware to lock the device and display a threatening message demanding payment.

All files will be restored once payment 0.2 Bitcoins (around $180) is received, the ransom note promises, otherwise portions of the victim's personal data will be put up for sale on underground forums every 30 minutes. And, that data includes social network contacts, bank accounts, credit cards and other information of the victim's friends and family. The attackers even go so far as to offer a "100% guarantee" that once payment is received, all control will be restored to the targeted owner.

The security vendor reported their findings to Android's Security team who removed the infected app and added the malware to its white list.

Charger might portend further types of this malware to issue from mobile malware developers, the researchers said.

The fact that Charger checks local settings on the device and won't trigger if the device is located in Ukraine, Russia or Belarus, leads the researchers to believe that the malware creators reside in that region and are looking to avoid prosecution there.

"Attackers develop new tactics to evade detection, or simply implement tactics which were used by other malware," Daniel Padon, part of the research team at Check Point, told SC Media on Friday. "There are endless ways in which an attacker can write a code which will achieve the same purpose. This renders most signature-based protections ineffective against new or adapted threats."

When asked what's so different about the delivery mechanism used in this iteration of the ransomware, Padon explained that most malware which manage to infiltrate Google Play, such as the recent HummingWhale, do so by uploading only a slim version of the malware which, to itself, has no malicious properties. This component is called the dropper. Once installed on a user's device, it downloads the actual malicious components. This procedure is necessary to evade Google's protections. 

"Charger uses a different approach," he said. "Instead of using a dropper, it hides the malicious sections of its code under several layers of packing and encryption."

For example, it encodes strings into binary arrays, obscuring inspection attempts, and dynamically loads code from encrypted resources, another strategy to evade detection by analysts and security tools. That code is further disguised with meaningless commands to add to the evasive techniques.

"This can be seen as someone who manages to cross the border with illegal contraband by hiding it in his dirty laundry," Padon explained. "By doing so, Charger managed to pass by Google's defenses, and into Google Play.

This level of sophistication illustrates that the attackers behind this ransomware have given it advanced evasion capabilities, says Padon. And, is a portent of things to come. "These could be improved in the future to allow additional samples of malware to evade detection, endangering all users."

While the ransom demand is much higher than has previously been seen in mobile malware (DataLust ransomware demanded $15), no evidence has yet surfaced of anyone paying up to the Bitcoin address, Padon said.