App Infected With Ransomware Now Removed From Google Play
An app infected with the ransomware Charger made its way onto the Google Play Store, in a rare miss for Google. Now, however, that app has finally been caught and removed.
The malware came packaged with an app called EnergyRescue, which was billed as a battery saving app. This turned out to just be a front for its real purpose though, which was to snoop on people’s SMS messages.
Check Point found the malware three weeks ago, and now Google has finally acted. This is a rare win for the cybercrime community, as usually the Google Play Store is seen as a safe haven from these kinds of infected apps. Usually, these kinds of apps can only be installed by sideloading through third-party websites. But it seems even Google is not totally infallible.
Employing a large arsenal of malware detection evasion tools, it seems the app was able to successfully slip undetected onto Google’s platform. One of these techniques is the ability to encode strings as binary arrays. Another is the ability to load code from encrypted resources dynamically. Most detection algorithms will not be able to decipher this.
Worst of all is the flood of meaningless commands that serve to mask the true intentions of the application. Or perhaps its the fact that the malware lays dormant when run in an OS emulator, one of the usual methods for app security testing.
This is a bit dangerous, as it means exploiters have found a way to get their malware onto the Play Store successfully. Hopefully Google will continue working with the community to develop countermeasures that improve the security of their platform before this problem becomes widespread.