ESET uncovers an Android trojan, masquerading as flashlight app.
Android users were the target of another banking malware with screen locking capabilities, masquerading as a flashlight app on Google Play. Unlike other banking trojans with a static set of targeted banking apps, this trojan can dynamically adjust its functionality.
Aside from delivering the promised flashlight functionality, this remotely controlled trojan comes with a variety of additional functions aimed at stealing victims’ banking credentials. Based on commands from its C&C server, the trojan can display fake screens mimicking legitimate apps, lock infected devices to hide fraudulent activity and intercept SMS and display fake notifications in order to bypass two-factor authentication.
The malware can affect all versions of Android. Because of its dynamic nature, there might be no limit to targeted apps – the malware obtains HTML code based on apps installed on the victim’s device and uses the code to overlay the apps with fake screens after they’re launched.
The trojan, detected by ESET as Trojan.Android/Charger.B, was uploaded to Google Play on March 30 and was installed by up to 5,000 unsuspecting users before being pulled from the store on ESET’s notice on April 10.
The full story with screenshots is available on ESET Ireland’s official blog.
