ESET researchers have discovered another banking trojan on Google Play targeting Android users – this time disguised as a Flashlight widget.

Android users were the target of another banking malware with screen locking capabilities, masquerading as a flashlight app on Google Play. Unlike other banking trojans with a static set of targeted banking apps, this trojan is able to dynamically adjust its functionality.

Aside from delivering promised flashlight functionality, the remotely controlled trojan comes with a variety of additional functions aimed at stealing victims’ banking credentials. Based on commands from its C&C server, the trojan can display fake screens mimicking legitimate apps, lock infected devices to hide fraudulent activity and intercept SMS and display fake notifications in order to bypass two-factor authentication.

The malware can affect all versions of Android. Because of its dynamic nature, there might be no limit to targeted apps – the malware obtains HTML code based on apps installed on the victim’s device and uses the code to overlay the apps with fake screens after they’re launched.

The trojan, detected by ESET as Trojan.Android/Charger.B, was uploaded to Google Play on March 30 and was installed by up to 5,000 unsuspecting users before being pulled from the store on ESET’s notice on April 10.

How does it operate?

As soon as the app is installed and launched, it requests device administrator rights. Users with Android 6.0 and above also need to manually permit usage access and drawing over other apps. With the rights and permissions granted, the app hides its icon, appearing on the device only as a widget.

The actual payload is encrypted in the assets of the APK file installed from Google Play, evading detection of its malicious functionality. The payload is dropped, decrypted and executed when the victim runs the app.

The trojan first registers the infected device to the attackers’ server. Apart from sending device information and a list of installed applications, the malware gets up close and personal with its victims – it also attaches a picture of the device owner taken by the front camera.

If the sent information indicates the device is located in Russia, Ukraine or Belarus, the C&C commands the malware to stop its activity – most likely to avoid prosecution of the attackers in their home countries.

Based on the apps found installed on the infected device, the C&C sends corresponding fake activity in the form of a malicious HTML code. The HTML is displayed in WebView after the victim launches one of the targeted apps. Legitimate activity is then overlaid by a fake screen requesting a victim’s credit card details or banking app credentials.

However, as mentioned before, specifying what apps qualify as “targeted” is tricky, as the requested HTML varies based on what apps are installed on the particular device. During our research, we’ve seen fake screens for Commbank, NAB and Westpac Mobile Banking, but also for Facebook, WhatsApp, Instagram and Google Play.

The credentials inserted into the fake forms are sent unencrypted to the attackers’ C&C server.

As for the device locking, we suspect this function enters the picture when cashing out the compromised bank accounts. The attackers can remotely lock devices with a fake update lookalike screen to hide fraudulent activity from victims, as well as to ensure they can’t interfere.

To communicate with C&C, the trojan misuses Firebase Cloud Messages (FCM), which is the first time we’ve seen Android malware using this communication channel.

Based on our research, the app is a modified version of Android/Charger, first discovered by Check Point researchers in January 2017. Unlike the first version that primarily extorted victims by locking their devices and demanding a ransom, the attackers behind Charger are now trying their luck with phishing for banking credentials – an evolution rather rare in the world of Android malware.

With its fake login screens and locking capabilities, Android/Charger.B also bears some resemblance to the banking malware we discovered and analyzed in February. What makes this latest discovery more dangerous, however, is the fact that its target can be dynamically updated, as opposed to being hardcoded in the malware – opening unlimited options for future misuse.

Has my device been infected? How do I clean it?

If you’ve recently downloaded a Flashlight app from Google Play, you might want to check if you haven’t accidentally reached for this trojan.

The malicious app can be found in Setting > Application Manager/Apps > Flashlight Widget.

While locating the app is simple, uninstalling it is not. The trojan tries to prevent this by not allowing victims to turn off the active device administrator – a necessary step for removing the app. When trying to deactivate the rights, the pop-up screen doesn’t go away until you change your mind and click “activate” again.

In such a case, the app can be uninstalled by booting your device into Safe mode, which will enable you to go through the following two steps to remove the malicious app.

See video below for instructions:

How to stay safe

To avoid dealing with the consequences of mobile malware, prevention is always the key.

Whenever possible, opt for official app stores when downloading apps. Although not flawless, Google Play does employ advanced security mechanisms to keep malware out, which isn’t necessarily the case with alternative stores.

When in doubt about installing an app, check its popularity by the number of installs, its ratings, and, most importantly, the content of reviews.

After running anything you’ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for permissions that don’t seem adequate to its function – like device administrator rights for a Flashlight app – you might want to rethink your choice.

Last but not least, use a reputable mobile security solution to protect your device from latest threats.

Analyzed sample