Android users were the target of another banking
malware with screen locking capabilities, masquerading as a flashlight app on
Google Play. Unlike other banking trojans with a static set of targeted banking
apps, this trojan is able to dynamically adjust its functionality.
Aside from delivering promised flashlight
functionality, the remotely controlled trojan comes with a variety of
additional functions aimed at stealing victims’ banking credentials. Based on
commands from its C&C server, the trojan can display fake screens mimicking
legitimate apps, lock infected devices to hide fraudulent activity and
intercept SMS and display fake notifications in order to bypass two-factor
authentication.
The malware can affect all versions of Android.
Because of its dynamic nature, there might be no limit to targeted apps – the
malware obtains HTML code based on apps installed on the victim’s device and
uses the code to overlay the apps with fake screens after they’re launched.
The trojan, detected by ESET as Trojan.Android/Charger.B,
was uploaded to Google Play on March 30 and was installed by up to 5,000
unsuspecting users before being pulled from the store on ESET’s notice on April
10.
Figure 1 –
The trojan on Google Play
How does it operate?
As soon as the app is installed and launched, it
requests device administrator rights. Users with Android 6.0 and above also
need to manually permit usage access and drawing over other apps. With the
rights and permissions granted, the app hides its icon, appearing on the device
only as a widget.
The actual payload is encrypted in the assets of
the APK file installed from Google Play, evading detection of its malicious
functionality. The payload is dropped, decrypted and executed when the victim
runs the app.
The trojan first registers the infected device to
the attackers’ server. Apart from sending device information and a list of
installed applications, the malware gets up close and personal with its victims
– it also attaches a picture of the device owner taken by the front camera.
If the sent information indicates the device is
located in Russia, Ukraine or Belarus, the C&C commands the malware to stop
its activity – most likely to avoid prosecution of the attackers in their home
countries.
Based on the apps found installed on the infected
device, the C&C sends corresponding fake activity in the form of a
malicious HTML code. The HTML is displayed in WebView after the victim launches
one of the targeted apps. Legitimate activity is then overlaid by a fake screen
requesting a victim’s credit card details or banking app credentials.
However, as mentioned before, specifying what apps
qualify as “targeted” is tricky, as the requested HTML varies based on what
apps are installed on the particular device. During our research, we’ve seen
fake screens for Commbank, NAB and Westpac Mobile Banking, but also for
Facebook, WhatsApp, Instagram and Google Play.
The credentials inserted into the fake forms are
sent unencrypted to the attackers’ C&C server.
As for the device locking, we suspect this function
enters the picture when cashing out the compromised bank accounts. The
attackers can remotely lock devices with a fake update lookalike screen to hide
fraudulent activity from victims, as well as to ensure they can’t interfere.
To communicate with C&C, the trojan misuses
Firebase Cloud Messages (FCM), which is the first time we’ve seen Android
malware using this communication channel.
Based on our research, the app is a modified
version of Android/Charger, first discovered by Check Point researchers in January 2017.
Unlike the first version that primarily extorted victims by locking their
devices and demanding a ransom, the attackers behind Charger are now trying
their luck with phishing for banking credentials – an evolution rather rare in
the world of Android malware.
With its fake login screens and locking
capabilities, Android/Charger.B also bears some resemblance to the banking malware
we discovered and analyzed in February. What makes this latest discovery more
dangerous, however, is the fact that its target can be dynamically updated, as
opposed to being hardcoded in the malware – opening unlimited options for
future misuse.
Has my device been infected? How do I clean
it?
If you’ve recently downloaded a Flashlight app from
Google Play, you might want to check if you haven’t accidentally reached for this
trojan.
The malicious app can be found in Setting >
Application Manager/Apps > Flashlight Widget.
While locating the app is simple, uninstalling it
is not. The trojan tries to prevent this by not allowing victims to turn off
the active device administrator – a necessary step for removing the app. When
trying to deactivate the rights, the pop-up screen doesn’t go away until you
change your mind and click “activate” again.
In such a case, the app can be uninstalled by
booting your device into Safe mode, which will enable you to go through the
following two steps to remove the malicious app.
See video below for instructions:
How to stay safe
To avoid dealing with the consequences of mobile
malware, prevention is always the key.
Whenever possible, opt for official app stores when
downloading apps. Although not flawless, Google Play does employ advanced
security mechanisms to keep malware out, which isn’t necessarily the case with
alternative stores.
When in doubt about installing an app, check its
popularity by the number of installs, its ratings, and, most importantly, the
content of reviews.
After running anything you’ve installed on your
mobile device, pay attention to what permissions and rights it requests. If an
app asks for permissions that don’t seem adequate to its function – like device
administrator rights for a Flashlight app – you might want to rethink your
choice.
Last but not least, use a reputable mobile security
solution to protect your device from latest threats.
