Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Ransomware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Shock to the system: Fake battery app zaps Android users with ‘Charger’ ransomware

A fake Android app that was temporarily available in the official Google Play store promises to improve mobile users' battery life, but actually distributes a newly discovered ransomware that steals contacts and SMS messages and renders devices inactive.

Dubbed Charger, the ransomware displays a ransom note message warning victims that their information – including data related to personal contacts, bank accounts, credit cards and social networking activity – has been downloaded onto a malicious server, according to a Tuesday blog post by Check Point Software Technologies, whose researchers discovered the malware approximately four weeks ago.

The note threatens to sell portions of this data data every 30 minutes unless a ransom of 0.2 bitcoins is paid, although Check Point researcher Daniel Padon told SC Media in an email interview that the company's Analysis and Response Team has not found any indications of this activity. The 0.2 bitcoin demand, which as of this posting equates to nearly $180, is an unusually stiff penalty, the blog post observed, noting that fellow mobile ransomware DataLust charges only $15.


Charger is distributed via a fake utility app called Energy Rescue, which advertises itself as tool that makes your battery work longer by scanning for and fixing inactive weak cells. "The malware uses a complex packing system to hide the malicious functionality in an encrypted part of the code. Simple static analysis engines are unable to penetrate this package and simply allow the malware through," Padon said, explaining how Charger managed to worm its way into the Google Play store.

The malware is also unusual in that it carries its own malicious payload instead of relying on a dropper or downloader component, Check Point reported. To avoid detection, it employs a number of evasive techniques, including encoding strings into binary arrays, dynamically loading code from encrypted resources (the code is also obfuscated), and scanning for virtual environments before commencing  malicious activity. 

Charger refuses to execute if it determines that an infected device is located in Ukraine, Russia or Belarus, which hints that the perpetrator is likely from this region and does not want to incite an investigation by local authorities.

According to the blog post, Google removed the infected app from its app store and added the malware to Android's built-in protection mechanisms.

SC Media has reached out to Google and will update the story if it receives comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.