Check Point ’ s mobile security researchers have discovered a new ransomware in Google Play , dubbed Charger . Charger was found embedded in an app called EnergyRescue . The infected app steals Attack.Databreach contacts and SMS messages from the user ’ s device and asks for admin permissions . If granted , the ransomware locks the device and displays Attack.Ransom a message demanding payment Attack.Ransom . Researchers detected and quarantined the Android device of an unsuspecting customer employee who had unknowingly downloaded and installed Charger . The early detection enabled them to quickly disclose the findings to Android ’ s Security team that added the malware to Android ’ s built-in protection mechanisms before it began to spread , ensuring only a handful of devices were infected . Unlike most malware found on Google Play , that contains a dropper that later downloads the real malicious components to the device , Charger uses a heavy packing approach . This makes it harder for the malware to stay hidden . Charger ’ s developers compensated for this using a variety of techniques to boost its evasion capabilities so it could stay hidden on Google Play for as long as possible . These included : The ransom demand Attack.Ransom is for 0.2 Bitcoins or roughly $ 180 and is much higher than what has been seen in previous mobile ransomware attacks Attack.Ransom . By comparison , the DataLust ransomware demanded Attack.Ransom merely $ 15 and could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins . Similar to other malware seen in the past , Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine , Russia , or Belarus . This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries

Researchers say a piece of ransomware disguised as Attack.Phishing a battery app made its way into the Play store . Check Point says one of its customers contracted the malware app , dubbed `` Charger , '' after installing what they thought was a battery monitoring tool called EnergyRescue . Researchers with Check Point Mobile Threat Prevention say the malware activates when EnergyRescue runs , and requires admin access to the device . Once that permission is granted , the malware checks for location ( it does not attack phones in the Ukraine , Belarus , or Russia ) , then swipes Attack.Databreach all user contacts and SMS messages and locks down the device . From there , the user is told that they must pay to deactivate Attack.Ransom the ransomware or they will have their full details spaffed out for various nefarious activities , including bank fraud and spam . `` You need to pay Attack.Ransom for us , otherwise we will sell portion of your personal information on black market every 30 minutes , '' the ransomware tells users . Not ones to be unprofessional , the Charger operators attempt to reassure their victims by offering a `` 100 % guarantee '' that once the 0.2 Bitcoin ransom Attack.Ransom ( currently around $ 183 ) is paid Attack.Ransom , all the collected information will be deleted and the device unlocked. `` The ransom demand Attack.Ransom for 0.2 Bitcoins is a much higher ransom demand Attack.Ransom than has been seen in mobile ransomware so far , '' note Check Point mobile security analysts Oren Koriat and Andrey Polkovnichenko . `` By comparison , the DataLust ransomware demanded Attack.Ransom merely $ 15 . '' Check Point says that thus far it has not spotted any payments being registered to the Bitcoin address used for the ransom collection Attack.Ransom , so it is unclear how much , if anything , has been made from this operation .