Security & Fraud

Charger Ransomware “Hiding In Plain Sight” In Google Play Store

It looks like ransomware has gotten by the safeguard in Google Play, the official Android marketplace for apps. Called Charger, the ransomware was hiding out in an app called Energy Rescue for at least one Android handset user, according to a blog post from Check Point Software.

The Charger malware apparently stole the user’s SMS contact and then prompted unaware users to give the app all-powerful administrator rights over the phone. By clicking OK, the app proceeded to promptly lock the device and ransom its owner with the following message:

“You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.”

Learning to code malware apparently takes a lot of time — and doesn’t leave much time for proofing or perfecting one’s ransom notes.

To pay off the ransomers, users had to pay a very reasonable price of 0.2 bitcoin — or about $180. The app that acted as the Trojan horse for the malware was reportedly in the Google store for about 4 days and did not receive much in the way of download action.

“We believe the attackers only wanted to test the waters and not spread it yet,” the researchers told Ars Technica.

Google officials have since removed the app and have thanked Check Point for raising awareness of the issue.

Reserachers also have determined that the malware was customized such that the malicious payload would not deliver if the device was located in Ukraine, Russia, or Belarus — indicating the likely home base countries of the hackers.  Also discovered was just how hard the malware coders worked to hide the app in plain site in the Play store. The code is designed to know if it is being run in a real OS or on an emulator. It won’t execute unless it is in a real OS.

——————————

LATEST PYMNTS REPORT: MARCH 2020 B2B API TRACKER  

B2B APIs aren’t just for large enterprises anymore — middle-market firms and SMBs now realize their potential for enabling low-cost access to real-time payments and account data. But those capabilities are only the tip of the API iceberg, says HSBC global head of liquidity and cash management Diane Reyes. In this month’s B2B API Tracker, Reyes explains how the next wave of banking APIs could fight payments fraud and proactively alert middle-market treasurers to investment opportunities.

Click to comment

TRENDING RIGHT NOW