One of the first ever mobile doxware viruses embedded in an app installing ransomware, calling itself Charger has been detected by malware researchers. The application was directly available in Google Play Store for Android devices under the name EnergyRescue. Upon being activated, similar to most apps, it obtains permissions over messages and other administrative privileges.
If installed, this app is able to lock the Android device completely. When the device has been locked, the Charger ransomware app wants the victim to pay around 200$ or 0.2 BitCoin as a ransom payoff.
A brief transcript of the note, even suggest it to be a completely new invention – the first mobile doxware app. This is due to cyber-criminals threatening to leak the information from the device, like photos messages and other stolen information to the black market. The lockscreen note is the following:
“You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes.”
What Does Charger Doxware Do?
In addition to being a doxware application, this program also perform the traditional for such malware activities, such as detecting the location of the device and not activating it in case it is from a specific country.
Another activity of Charger doxware is to become a harder reverse engineering malware, encoding strings in to binaries. In addition to this, EasySecurityPlanet reports that the Charger mobile doxware threat will load a code which cannot be penetrated for analysis. This code is loaded along with multiple commands and it is different to distinguish which ones work and which do not. This makes researching the threat significantly more difficult. The malware alos performs a check up whether or not it is ran on a virtual drive, like Nox App Player for example.
Luckily the application was detected by malware researchers and eventually removed short after. However, Google Play Store has millions of applications out there and if Cyber-Criminals can create this application which can run successfully on almost a quarter of the Android devices out there, it is important to be extremely careful. But according to experts the Android devices themselves who may be affected will likely be ones who are not regularly supported. This is why advices are to buy a device which has a longer support period, since it will be regularly patched and updated.
Follow the below instructions for additional help.
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Get Dashlane to see if your device is infected by Doxware
Secure your Android or Apple mobile device against data-stealing Viruses now! Dashlane's security service is free but the paid version is needed to get access to full features. Read Dashlane’s EULA and Privacy Policy.
Preparation before removal of malware.
Before starting the actual removal process, we recommend that you do the following preparation steps.
Turn off your phone until you know how bad is the virus infection.
Open these steps on another, safe device.
Make sure to take out your SIM card, as the virus could corrupt it in some rare cases.
Step 1: Shut Down your phone to win some time
Shutting down your phone can be done by pressing and holding its power button and choosing shut down.
In case the virus does not let you do this, you can also try to remove the battery.
In case your battery is non-removalble, you can try to drain it as fast as possible if you still have control over it.
Notes: This gives youtime to see how bad the situation is and to be able to take out your SIM card safely, without the numbers in it to be erased. If the virus is on your computer, it is espeically dangerous to keep the sim card there.
Step 2: Turn on Safe Mode of your Android device.
For most Android devices, switching to Safe Mode is the same. Its done by following these mini-steps:
1.Turn on your device and hold the power button until you see the following menu:
2.Tap on Safe Mode Icon to reset your phone to Safe Mode, like shown below:
3.When you turn on your phone, you will see the letters “Safe Mode” written on the side, bottom or other corners of the screen. Your phone will also be in Airplane mode. This will help avoid any viruses communicating with the hacker.
Step 3: Eliminate the App that Your Believe is the Virus
Usually Android viruses get masked in the form of applications. To eliminate apps, follow these mini-steps:
1.Swipe down from the top of your phone and locate the Settings symbol and tap on it.
2.When you open the Settings menu, you should be able to locate the control center of all your App Permissions. It should look something like the following:
3.Now if you know which the virus or adware app is, you should locate it and tap on it:
4.When you enter the app, you will see two options – to Force Stop it and to Uninstall it. Make sure to first Force Stop it so that your phone is safe from any tripwire tactics of the app that may destroy it an then tap on Uninstall to remove it.
5.Now if you are sure that the virus or adware app is removed, you can hold the Power button and tap on Restart:
Step 4: Find Hidden Virus Files on Your Android Phone and Remove Them
1.To find hidden files manually (In case you know where the virus files are), you can use Safe Mode to go to where your Files are actually located. Usually, this is a folder, named “My Files” or something approximate to this:
2.There you should be able to locate all of your files and all of the folders:
Simply locate the virus and holdtap on the virus file to delete it.
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
One of the first ever mobile doxware viruses embedded in an app installing ransomware, calling itself Charger has been detected by malware researchers. The application was directly available in Google Play Store for Android devices under the name EnergyRescue. Upon being activated, similar to most apps, it obtains permissions over messages and other administrative privileges. 
