Energy Rescue installs Charger ransomware on Android

Security vendor Check Point has disclosed that the Charger malware is charging users 0.2 Bitcoin (BTC) to unlock their devices. The ransomware is hidden inside a utility for Android devices called Energy Rescue. The app tells users it will make their battery work longer. It claims to do this by scanning for weak battery cells and trying to restore them. As users struggle with battery life it is unsurprising that Charger has claimed victims. Ironically, Check Point only became aware of this due to an employee getting infected.

Ben Harknett, VP EMEA, RiskIQ
Ben Harknett, VP EMEA, RiskIQ

The details of the attack were disclosed in a blog entitled Charger Malware Calls and Raises the Risk on Google Play. The blog was written by Oren Koriat and Andrey Polkovnichenko. Energy Rescue was downloaded from Google Play by a Check Point employee. This is not the first time Google Play has been caught providing ransomware. In this case the attack used a 0 day exploit which may explain how it got through Google’s security checks.

According to Ben Harknett, VP EMEA at RiskIQ: “The fact that Charger ransomware has been discovered in an app on the Google Play store isn’t surprising. This is unfortunately not a new thing. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released.”

Charger asks for admin permissions

Like a lot of malware, Charger asks for Admin permissions when being installed on the device. The problem is that so many utilities ask for raised permissions that users routinely grant them. It is time that device manufacturers closed this loophole including warning the user when they grant permissions.

Harknett says: “What many users don’t consider, particularly with apps in official app stores, is that it often states in the terms and conditions of the app what data will be collected and how it will be used. Unfortunately, it’s not uncommon for people to blindly click accept on terms and conditions before even reading past the first sentence. When individuals do this using a legitimate app their collected data will reside in multiple locations across multiple organisations, increasing the risk of a data breach.”

Once Charger is installed it steals the contact list, presumably to use as part of a phishing campaign. Most users will install apps if someone in their network recommends them. It also steals SMS messages. Once the device is locked the ransomware displays a message and asks for payment.

In an interesting twist the user is given an ultimatum. Every 30 minutes 10% of their personal data will be sold on the black market. The time limit is interesting. It assumes that the user has access to Bitcoin or is able to buy them that quickly. If the user buys them using the mobile device then there is a high likelihood that the cyber criminals will steal payment data.

A higher price than other mobile malware

In their blog Koriat and Polkovnichenko say: “The ransom demand for 0.2 Bitcoins (roughly $180) is a much higher ransom demand than has been seen in mobile ransomware so far. By comparison, the DataLust ransomware demanded merely $15. Payments are made to a specific Bitcoin account, but we havent identified any payments so far.”

As BTC prices drop, it will be interesting to see if newer versions of Charger continue to charge a premium. With no payments detected it could be that mobile users are less concerned about it than if it is on their PC. If so, that would be a mistake.

More Russian malware?

As with most malware, Charger checks the country settings of the device. Koriat and Polkovnichenko believe this is about avoiding local law enforcement. “Similar to other malware seen in the past, Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus. This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries.”

Even if arrested, prosecution risks are very low as proven in the recent Operation Avalanche debacle. In this case the criminal mastermind was arrested and then released by a provincial court in Ukraine. That case has damaged Ukraine’s efforts to work with international law enforcement to clean up its reputation as a safe haven for cyber criminals.

The recent Russian crackdown on cyber criminals also appears to be very limited. The belief among other security vendors is that Russia was only cracking down for appearances not effect.


Mobile malware is an increasing problem for enterprises. The use of Bring Your Own Device (BYOD) has expanded massively over the last three years. Fewer and fewer organisations now provide anything other than a desktop PC for users. Without proper controls BYOD means that mobile devices are becoming an attractive way for criminals to penetrate the enterprise.

This version of Charger may not have made much money but like all ransomware it won’t go away. Google has now removed it from the Google Play store but for how long?


Please enter your comment!
Please enter your name here