Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:55 PM
Connect Directly

Google Removes Ransomware-Laden App From Play Store

Incident is believed to be first time threat actors have snuck ransomware into Google's official mobile app store.

A ransomware sample that was recently discovered embedded in an Android application on Google Play Store suggests that threat actors may have found a dangerous new way to get extortion malware on mobile devices.

The malware, dubbed Charger, is believed to be the first instance of ransomware being successfully uploaded to Google's official mobile application store. So far there have been no reported incidents of similar uploads on Apple’s App Store.

Security vendor Check Point software found Charger embedded in an Android batter- saving app called EnergyRescue when inspecting a quarantined device belonging to an employee of one of its enterprise clients.

Google has since purged the rogue application from Play Store so it no longer poses a threat to Android users. Still, the incident is a reminder that official mobile app stores, while considered much safer than third-party stores, are not immune from security risks and that enterprise users downloading apps from such stores cannot automatically assume the software will be malware free.

In an alert, Check Point described Charger as malware designed to surreptitiously steal SMS messages and contact information from an infected device, lock up the device, and then demand a ransom in return for unlocking it.

The extortion note threatened victims that all personal data extracted from their phone would be sold to cybercriminals if they didn't pay a ransom of 0.2 Bitcoin, or around about $180. The note reassured victims that their locked files would be restored after payment was received and warned them that it was futile to power off and restart their phone.


The ransom amount that the authors of Charger want is considerably higher than the $15 ransom demanded by those behind DataLust, another recent and prolific Android ransomware sample that targeted users of porn apps, Check Point security researchers Oren Koriat and Andrey Polkovnichenko wrote.

Malware previously uploaded to Google Play typically only contained a dropper for downloading the real payload from elsewhere on victim devices. EnergyRescue, on the other hand, contained all the malicious code for Charger with it, making it bulky and somewhat easy to spot, the researchers said. So in order to compensate, the authors of the malware employed multiple advanced techniques to evade detection, they added.

For example, the malware encoded strings into binary arrays making it harder for researchers to inspect them. The malware also dynamically loaded code from encrypted resources, preventing detection engines from inspecting it. Charger also checked to see if it was being run in an emulator before beginning malicious activity.

In a statement, a Google spokesman thanked Check Point for noticing the problem and disclosing it. "We've taken the appropriate actions in Play, and will continue to work closely with the research community to help keep Android users safe," the statement noted.

Like Apple, Google has implemented a variety of measures over the past several years to prevent people from uploading malicious and potentially harmful apps to Play Store. The company uses a combination of automated and manual inspections and ratings systems to vet applications for security issues before permitting them to be uploaded.

Google also has a Google Play App Security Improvement (ASI) program under which it offers guidance to help developers avoid common security pitfalls so their apps cannot be maliciously exploited. Earlier this month, Google claimed that the ASI program has helped about 90,000 Android app developers fix security problems in some 250,000 apps over the past few years.

The fact that attackers are still able to upload malware like Charger indicates that even such measures as an ASI are not always enough.

"This incident indicates that attackers are getting better in developing and employing advanced evasion techniques that manage to bypass the ever improving security measures," says Daniel Padon, a security researcher at Check Point.  

"Users should not rely on official app stores as their sole protection against malware," he says. They should also consider other measures such as threat emulation and detection, he says.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
X ray tech
X ray tech,
User Rank: Apprentice
1/25/2017 | 4:50:14 PM
MS Outlook Support
Thanks. To keep updating with this news. Google have to do this, Because there are so many unwanted app on app store that cause your security problems.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.