Threat Management, Malware

When flashlights attack, Android passwords get stolen

Another malicious app has finagled its way into the Google play store in the disguise of a seemingly benevolent flashlight app.

If downloaded, no version of Android is immune to the trojan malware's abilities which allow it to display fake screens, mimic legitimate apps, lock infected devices to hide fraudulent activity, intercept SMS, and display fake notifications in order to bypass two-factor authentication, according to an April 19 ESET blog post.

Researchers added that the malicious app is unlike other banking trojans with a static set of targeted banking apps because of its ability to dynamically adjust its functionality.

“It doesn't have static app names to mimic legit apps such as mobile banking apps, ESET Detection Engineer Lukas Stefanko told SC Media. “Everything is sent from the attacker server to the victim on the run. Due to that, lists of targeted apps can be expanded by each installation.”

Stefanko also noted that this infiltration is a modified/updated version of Android Ransomware that was already removed from Google Play.

The trojan dubbed, Trojan.Android/Charger.B, was installed by nearly 5000 users and was uploaded to the Google Play story on March 30 where it remained until April 10 when ESET researchers alerted the store to the malware.

Once installed the app requests administrator rights which should raise a red flag for any application especially for a flashlight app.

As soon as the permissions are granted the app hides its icon and only appears on the device as a widget and the actual payload is encrypted in the assets of the APK file installed from the Play store to evade detection, researchers said.

The trojan then will register the infected device to the attackers' server. Stefanko advised users to be always check permissions and read reviews when downloading apps, even when from trusted sources.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.