Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:55 PM
Connect Directly

Google Removes Ransomware-Laden App From Play Store

Incident is believed to be first time threat actors have snuck ransomware into Google's official mobile app store.

A ransomware sample that was recently discovered embedded in an Android application on Google Play Store suggests that threat actors may have found a dangerous new way to get extortion malware on mobile devices.

The malware, dubbed Charger, is believed to be the first instance of ransomware being successfully uploaded to Google's official mobile application store. So far there have been no reported incidents of similar uploads on Apple’s App Store.

Security vendor Check Point software found Charger embedded in an Android batter- saving app called EnergyRescue when inspecting a quarantined device belonging to an employee of one of its enterprise clients.

Google has since purged the rogue application from Play Store so it no longer poses a threat to Android users. Still, the incident is a reminder that official mobile app stores, while considered much safer than third-party stores, are not immune from security risks and that enterprise users downloading apps from such stores cannot automatically assume the software will be malware free.

In an alert, Check Point described Charger as malware designed to surreptitiously steal SMS messages and contact information from an infected device, lock up the device, and then demand a ransom in return for unlocking it.

The extortion note threatened victims that all personal data extracted from their phone would be sold to cybercriminals if they didn't pay a ransom of 0.2 Bitcoin, or around about $180. The note reassured victims that their locked files would be restored after payment was received and warned them that it was futile to power off and restart their phone.


The ransom amount that the authors of Charger want is considerably higher than the $15 ransom demanded by those behind DataLust, another recent and prolific Android ransomware sample that targeted users of porn apps, Check Point security researchers Oren Koriat and Andrey Polkovnichenko wrote.

Malware previously uploaded to Google Play typically only contained a dropper for downloading the real payload from elsewhere on victim devices. EnergyRescue, on the other hand, contained all the malicious code for Charger with it, making it bulky and somewhat easy to spot, the researchers said. So in order to compensate, the authors of the malware employed multiple advanced techniques to evade detection, they added.

For example, the malware encoded strings into binary arrays making it harder for researchers to inspect them. The malware also dynamically loaded code from encrypted resources, preventing detection engines from inspecting it. Charger also checked to see if it was being run in an emulator before beginning malicious activity.

In a statement, a Google spokesman thanked Check Point for noticing the problem and disclosing it. "We've taken the appropriate actions in Play, and will continue to work closely with the research community to help keep Android users safe," the statement noted.

Like Apple, Google has implemented a variety of measures over the past several years to prevent people from uploading malicious and potentially harmful apps to Play Store. The company uses a combination of automated and manual inspections and ratings systems to vet applications for security issues before permitting them to be uploaded.

Google also has a Google Play App Security Improvement (ASI) program under which it offers guidance to help developers avoid common security pitfalls so their apps cannot be maliciously exploited. Earlier this month, Google claimed that the ASI program has helped about 90,000 Android app developers fix security problems in some 250,000 apps over the past few years.

The fact that attackers are still able to upload malware like Charger indicates that even such measures as an ASI are not always enough.

"This incident indicates that attackers are getting better in developing and employing advanced evasion techniques that manage to bypass the ever improving security measures," says Daniel Padon, a security researcher at Check Point.  

"Users should not rely on official app stores as their sole protection against malware," he says. They should also consider other measures such as threat emulation and detection, he says.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
X ray tech
X ray tech,
User Rank: Apprentice
1/25/2017 | 4:50:14 PM
MS Outlook Support
Thanks. To keep updating with this news. Google have to do this, Because there are so many unwanted app on app store that cause your security problems.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.
PUBLISHED: 2021-05-12
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform d...
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.