Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:55 PM
Connect Directly

Google Removes Ransomware-Laden App From Play Store

Incident is believed to be first time threat actors have snuck ransomware into Google's official mobile app store.

A ransomware sample that was recently discovered embedded in an Android application on Google Play Store suggests that threat actors may have found a dangerous new way to get extortion malware on mobile devices.

The malware, dubbed Charger, is believed to be the first instance of ransomware being successfully uploaded to Google's official mobile application store. So far there have been no reported incidents of similar uploads on Apple’s App Store.

Security vendor Check Point software found Charger embedded in an Android batter- saving app called EnergyRescue when inspecting a quarantined device belonging to an employee of one of its enterprise clients.

Google has since purged the rogue application from Play Store so it no longer poses a threat to Android users. Still, the incident is a reminder that official mobile app stores, while considered much safer than third-party stores, are not immune from security risks and that enterprise users downloading apps from such stores cannot automatically assume the software will be malware free.

In an alert, Check Point described Charger as malware designed to surreptitiously steal SMS messages and contact information from an infected device, lock up the device, and then demand a ransom in return for unlocking it.

The extortion note threatened victims that all personal data extracted from their phone would be sold to cybercriminals if they didn't pay a ransom of 0.2 Bitcoin, or around about $180. The note reassured victims that their locked files would be restored after payment was received and warned them that it was futile to power off and restart their phone.


The ransom amount that the authors of Charger want is considerably higher than the $15 ransom demanded by those behind DataLust, another recent and prolific Android ransomware sample that targeted users of porn apps, Check Point security researchers Oren Koriat and Andrey Polkovnichenko wrote.

Malware previously uploaded to Google Play typically only contained a dropper for downloading the real payload from elsewhere on victim devices. EnergyRescue, on the other hand, contained all the malicious code for Charger with it, making it bulky and somewhat easy to spot, the researchers said. So in order to compensate, the authors of the malware employed multiple advanced techniques to evade detection, they added.

For example, the malware encoded strings into binary arrays making it harder for researchers to inspect them. The malware also dynamically loaded code from encrypted resources, preventing detection engines from inspecting it. Charger also checked to see if it was being run in an emulator before beginning malicious activity.

In a statement, a Google spokesman thanked Check Point for noticing the problem and disclosing it. "We've taken the appropriate actions in Play, and will continue to work closely with the research community to help keep Android users safe," the statement noted.

Like Apple, Google has implemented a variety of measures over the past several years to prevent people from uploading malicious and potentially harmful apps to Play Store. The company uses a combination of automated and manual inspections and ratings systems to vet applications for security issues before permitting them to be uploaded.

Google also has a Google Play App Security Improvement (ASI) program under which it offers guidance to help developers avoid common security pitfalls so their apps cannot be maliciously exploited. Earlier this month, Google claimed that the ASI program has helped about 90,000 Android app developers fix security problems in some 250,000 apps over the past few years.

The fact that attackers are still able to upload malware like Charger indicates that even such measures as an ASI are not always enough.

"This incident indicates that attackers are getting better in developing and employing advanced evasion techniques that manage to bypass the ever improving security measures," says Daniel Padon, a security researcher at Check Point.  

"Users should not rely on official app stores as their sole protection against malware," he says. They should also consider other measures such as threat emulation and detection, he says.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
X ray tech
X ray tech,
User Rank: Apprentice
1/25/2017 | 4:50:14 PM
MS Outlook Support
Thanks. To keep updating with this news. Google have to do this, Because there are so many unwanted app on app store that cause your security problems.
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-12887. Reason: This candidate is a reservation duplicate of CVE-2019-12887. Notes: All CVE users should reference CVE-2019-12887 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.