Story image

'Flashlight' Trojan targets Australian banking apps, takes pictures of victims

24 Apr 2017

Android users are being warned about a fake flashlight app on Google Play that is targeting Australian banking apps.

The fake app, called ‘Flashlight LED Widget’, has been downloaded by 5000 users. According to ESET researchers, the app is also able to adjust its functionality to targeted an unlimited number of apps on the victim’s device.

So far it has been detected targeting banking apps from Commbank, NAB and Westpac in order to steal banking credentials. It has also targeted Facebook, WhatsApp, Instagram and Google Play.

The app, discovered to be Trojan.Android/Charger.B, was uploaded to Google Play on March 30. On April 10, it was pulled from the store on ESET’s notice.

According to researchers, the Trojan is a variant of a malware originally used to deliver ransomware - the switch to bank phishing is apparently ‘rare’ in the Android malware world.

The Trojan does actually act as a flashlight, but it also has embedded command & control (C&C) functionalities that can send fake screens that mimic real apps, lock infected devices, intercept SMS and display fake notifications that can bypass two-factor authentication. 

It can also use HTML code that is based on apps installed on the device to display fake screen overlays once they are launched, ESET says.

The Trojan works by asking for device administrator rights as soon as it is launched. After permissions are granted, the app hides its icon and displays only as a widget. 

It then registers the infected device on the attacker’s server and provides information about the phone. It even goes one step further and attaches a picture of the device owner, which has been taken by the front camera.

According to ESET, if the server detects that the infected device is in Belarus, Russia or Ukraine, the Trojan stops all its activity. Researchers suspect this gives an indication of where the attackers are located, as they may be wanting to avoid prosecution in their home countries.

ESET researchers have also noted that the Trojan uses Firebase Cloud Messages to communicate with C&C - the very first time a malware has used this as a communication channel.

ESET recommends that all users who have downloaded a flashlight app check to see if it is legitimate.  This particular malicious app can be found in Setting > Application Manager/Apps > Flashlight Widget.

Uninstalling the widget is much more difficult, as the Trojan attempts to stop users from turning off the active device administrator. 

“When trying to deactivate the rights, the pop-up screen doesn’t go away until you change your mind and click 'activate' again,” researchers report.

ESET recommends that users boot their devices in Safe mode, which will help uninstall the Trojan. 

In addition, ESET recommends that users choose only official app stores. When downloading apps, check app popularity, ratings and what people are saying in reviews. 

Be wary of what permissions apps ask for. If a flashlight app asks for device administrator rights, consider uninstalling the app immediately. Finally, use up-to-date mobile security solutions.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.