19 April 2017 – ESET researchers have discovered another
banking trojan on Google Play – this time disguised as a Flashlight widget and
targeting a potentially unlimited number of apps.
Android users were the target of another
banking malware with screen locking capabilities, masquerading as a flashlight
app on Google Play. Unlike other banking trojans with a static set of targeted
banking apps, this trojan is able to dynamically adjust its functionality.
Aside from delivering promised flashlight
functionality, the remotely controlled trojan comes with a variety of
additional functions aimed at stealing victims’ banking credentials. Based on
commands from its C&C server, the trojan can display fake screens mimicking
legitimate apps, lock infected devices to hide fraudulent activity and
intercept SMS and display fake notifications in order to bypass
The malware can affect all versions of
Android. Because of its dynamic nature, there might be no limit to targeted
apps – the malware obtains HTML code based on apps installed on the victim’s
device and uses the code to overlay the apps with fake screens after they’re
The trojan, detected by ESET as
Trojan.Android/Charger.B, was uploaded to Google Play on March 30 and got
installed by up to 5000 unsuspecting users before being pulled from the store
on ESET’s notice on April 10.
does it operate?
As soon as the app is installed and
launched, it requests device administrator rights. Users with Android 6.0 and
above also need to manually permit usage access and drawing over other apps.
With the rights and permissions granted, the app hides its icon, appearing on
the device only as a widget.
The actual payload is encrypted in
the assets of the APK file installed from Google Play, evading detection of its
malicious functionality. The payload is dropped, decrypted and executed when
the victim runs the app.
The Trojan first registers the
infected device to the attackers’ server. Apart from sending device information
and a list of installed applications, the malware gets up close and personal
with its victims – it also attaches a picture of the device owner taken by the
If the sent information indicates
the device is located in Russia, Ukraine or Belarus, the C&C commands the
malware to stop its activity – most likely to avoid prosecution of the
attackers in their home countries.
Based on the apps found installed on the infected device, the
C&C sends corresponding fake activity in the form of a malicious HTML code.
The HTML is displayed in WebView after the victim launches one of the targeted
apps. Legitimate activity is then overlaid by a fake screen requesting victim’s
credit card details or banking app credentials.
However, like we mentioned before, specifying what apps qualify as
“targeted” is tricky, as the requested HTML varies based on what apps are
installed on the particular device. During our research, we’ve seen fake
screens for Commbank, NAB and Westpac Mobile Banking, but also for Facebook,
WhatsApp, Instagram and Google Play.
The credentials inserted into the fake forms are sent unencrypted to
the attackers’ C&C server.
As for the device locking, we suspect this function enters the
picture when cashing out the compromised bank accounts. The attackers can
remotely lock devices with a fake update lookalike screen to hide fraudulent
activity from victims, as well as to ensure they can’t interfere.
To communicate with C&C, the
Trojan misuses Firebase Cloud Messages (FCM), which is the first time we’ve
seen Android malware using this communication channel.
Based on our research, the app is a modified version of Android/Charger,
first discovered by Check Point researchers in January 2017.
Unlike the first version that primarily extorted victims by locking their
devices and demanding ransom, the attackers behind Charger are now trying their
luck with phishing for banking credentials – an evolution rather rare in the
world of Android malware.
With its fake login screens and locking capabilities,
Android/Charger.B also bears some resemblance to the banking
malware we discovered and analyzed in February. What makes this latest
discovery more dangerous, however, is the fact that its target can be
dynamically updated, as opposed to being hardcoded in the malware – opening
unlimited options for future misuse.
my device been infected? How do I clean it?
If you’ve recently downloaded a Flashlight
app from Google Play, you might want to check if you haven’t accidentally
reached for this trojan.
The malicious app can be found in Setting
> Application Manager/Apps > Flashlight Widget.
While locating the app is simple,
uninstalling it is a whole another story. The trojan tries to prevent getting
uninstalled by not allowing victims to turn off the active device administrator
– a necessary step for removing the app. When trying to deactivate the rights,
the pop-up screen doesn’t go away until you change your mind and click
In such a case, the app can be uninstalled
by booting your device into Safe mode, which will enable you to go through the
two steps of removing the malicious app.
to stay safe
To avoid dealing with the consequences of
mobile malware, prevention is always the key.
Whenever possible, opt for official app stores when downloading
apps. Although not flawless, Google Play does employ advanced security
mechanisms to keep malware out, which doesn’t have to be the case with
When in doubt about installing an app, check its popularity by
number of installs, ratings and, most importantly, content of reviews.
After running anything you’ve installed on
your mobile device, pay attention to what permissions and rights it requests.
If an app asks for permissions that don’t seem adequate to its function – like
device administrator rights for a Flashlight app – you might want to rethink
Last but not least, use a reputable mobile security solution to
protect your device from latest threats.
30 years, ESET® has been developing
industry-leading IT security software and services for businesses and consumers
worldwide. With solutions ranging from endpoint and mobile security, to
encryption and two-factor authentication, ESET’s high-performing, easy-to-use products
give consumers and businesses the peace of mind to enjoy the full potential of
their technology. ESET unobtrusively protects and monitors 24/7, updating
defenses in real-time to keep users safe and businesses running without
interruption. Evolving threats require an evolving IT security company. Backed
by R&D centers worldwide, ESET becomes the first IT security company to
earn 100 Virus Bulletin VB100 awards, identifying every
single “in-the-wild” malware without interruption since 2003. For more
information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.
queries, please contact:
Rice Communications for ESET Asia-Pacific
+65 3157 5670