Models pose with Samsung Electronics' Galaxy S8 smartphones during a media event at a company's building in Seoul, South Korea, April 13, 2017.
Models pose with Samsung Electronics' Galaxy S8 smartphones during a media event at a company's building in Seoul, South Korea, April 13, 2017. Reuters/Kim Hong-Ji

An Android flashlight app on Google Play is actually a remotely controlled Trojan that steals users’ banking details, according to new findings. The Flashlight LED Widget is said to mimic legitimate banking apps to dupe users into giving their username and password.

Lukas Stefanko of IT security company ESET wrote on the welivesecurity.com blog how the app operates. The flashlight app poses as a torch that uses the smartphone’s camera flash but contains malicious Trojan that aims at stealing victims’ banking credentials.

According to the findings, the Trojan, detected by the company as Android/Charger.B, can display fake screens that mimic legitimate apps, lock infected device to hide fraudulent activities and intercept text messages to get around the two-factor authentication process. “The malware can affect all versions of Android. Because of its dynamic nature, there might be no limit to targeted apps – the malware obtains HTML code based on apps installed on the victim’s device and uses the code to overlay the apps with fake screens after they’re launched,” the blog reads.

Stefanko said they saw the app mimic screens for Commbank, NAB and Westpac Mobile Banking. It also posed as Facebook, WhatsApp, Instagram and Google Play apps.

How the malicious app works

The app requests administration rights on the device as soon as it is installed and launched. It then hides its icon and appears on the device only as a widget. It will register the infected device to the attackers’ server, sending the device’s information and a list of installed apps. The malware will get to know the users, attaching a picture of them taken by the front camera.

According to Stefanko, if the device is located in Russia, Ukraine or Belarus, the command and control server (C&C) commands the malware to stop its activity. This is most likely to avoid prosecution of the attackers in their home countries.

The C&C will send corresponding fake activities in the form of a malicious code based on the applications found installed in the users’ device. The HTML is displayed in WebView after the user launches a targeted app. The flashlight app will overlay the legitimate app with a fake screen that requests the users’ credit card or banking details.

Stefanko, however, admitted that specifying what apps are targeted is tricky because the requested HTML varies based on what apps are installed on a device. They had seen the Trojan mimic Australian banks and social media websites mentioned above.

They also suspect that the device-locking function of the app is for when the app enters the picture when cashing out from the compromised banking apps. The attackers remotely lock the device with a fake update lookalike screen to hide the app’s malicious activity from the users, ensuring that their victims can’t interfere.

The app was released on March 30 and had been downloaded by 5,000 users before it was pulled from Google Play on April 10. It is said to be a modified version of Android/Charger, which was first discovered by Check Point researchers in January.

“With its fake login screens and locking capabilities, Android/Charger.B also bears some resemblance to the banking malware we discovered and analysed in February. What makes this latest discovery more dangerous, however, is the fact that its target can be dynamically updated, as opposed to being hardcoded in the malware – opening unlimited options for future misuse,” the blog reads.

How to clean an infected device

For those who have downloaded the Flashlight app from Google Play, they can find it in Settings > Application Manager/App > Flashlight Widget. They cannot uninstall the app as easily as they can the others, though, because the Trojan prevents it by not allowing users to turn off the active device administration. If the users attempt to deactivate the rights, a pop-up screen will appear and won’t go away until users change their mind and click “activate” again.

To uninstall the app, Stefanko advised users to boot their device into Safe mode. Once in Safe mode, go to Settings > Security > Device Administrators and then unclick the Flashlight Widget and deactivate its administrator rights. Then go to the Application Manager once again, click the flashlight app and then uninstall.

Watch Stefanko’s tutorial on how to uninstall the malicious flashlight app

ESET/YouTube