Android users were the target of another banking malware with screen locking capabilities, masquerading as a flashlight app on Google Play. Unlike other banking trojans with a static set of targeted banking apps, this trojan is able to dynamically adjust its functionality.
Aside from delivering promised flashlight functionality, the remotely controlled trojan comes with a variety of additional functions aimed at stealing victims’ banking credentials. Based on commands from its command and control (C&C) server, the trojan can display fake screens mimicking legitimate apps, lock infected devices to hide fraudulent activity, intercept SMS messages and display fake notifications in order to bypass two factor authentication.
The malware can affect all versions of Android. Because of its dynamic nature, there might be no limit to targeted apps – the malware obtains HTML code based on apps installed on the victim’s device and uses the code to overlay the apps with fake screens after they are launched. ESET researchers have seen fake screens for Commonwealth Bank, National Australia Bank and Westpac Mobile Banking, but also for Facebook, WhatsApp, Instagram and Google Play.
The trojan, detected by ESET as Trojan.Android/Charger.B, was uploaded to Google Play on March 30 and was installed by up to 5,000 unsuspecting users before being pulled from the store on ESET’s notice on April 10.
Those who have downloaded a flashlight app recently can check in Settings > Application Manager/Apps > to see if they have the Flashlight Widget. The app cannot be uninstalled conventionally, but only if the device is first booted in Safe mode.
ESET advises users to stick to official app stores when downloading apps, and downloading apps which are popular going by the number of installs, ratings and review content. ESET also says that if an app asks for permissions that are unusual for its function – like device administrator rights for a Flashlight app – to rethink the download. Last but not least, use a reputable mobile security solution.