I turn on the light, and give me your passwords! False lantern hides on Google Play - "TechnoTron"


FAKE FLASHLIGHT

A banking malware with the capabilities of screen lock was pointing to Android users, by pretending to be a application with function of flashlight available on Google Play. Unlike other banking trojans, which are a set of banking applications such as aim, this is able to adjust its functionality in a dynamic way.

In addition to providing the promised functionality of the flashlight, the threat, controlled in a remote way, comes with a variety of additional functions that are looking to steal banking credentials from victims. On the basis of the commands on your server of C&C, the trojan can display screens fake that mimic legitimate applications, block infected devices to hide the fraudulent activity, intercept SMS messages, and display notifications to false to avoid the double authentication.

The malware can affect all the versions of Android. Due to its dynamic nature, it may not be a limit to the apps lens; the threat gets HTML code based on the applications installed on the device of the victim and uses it to cover them with screens false then they are executed.

The trojan, detected by ESET as a Trojan.Android/Charger.B, climbed to the Google Play on the 30th of march and was installed for up to 5,000 unsuspecting users before being removed from the store, after the notice of ESET the 10 of April.

FAKE FLASHLIGHT, APP, SMARTPHONES, MALWARE, ANDROID, GOOGLE PLAY



flashlight led widget



How it operates?

Just installed and is running, the app requests permissions from device administrator. Users with Android 6.0 and later versions must, in addition, allow you to manually access and use the overlay on other applications. With the rights and permissions obtained, the application hides its icon and appears in the team only as a widget.

The payload is encrypted in the resources in the APK installed from Google Play, eluding detection of its malicious feature. This malicious payload is decrypted and executed when the victim opens the application.
First, the trojan registers the infected device in the server of the attacker. In addition to sending information to the computer and a list of the apps you have installed, the malware looks for to better know their victims, since they also attach a photo of yourself taken with the front camera of the device.

If the information submitted indicates that you are located in Russia, Ukraine or Belarus, the C&C instructs the malware to stop its activity, probably to avoid the persecution of the attackers in their own countries.
Depending on the applications they find on the infected computer, the C&C sends the activity to false in the form of HTML code in malicious, which is shown in WebView after which the victim is running one of the apps of the list of targets. A screen false overlaps the legitimate activity and asks for the details of the credit card of the user, or their access credentials for a particular banking application.

However, as we mentioned before, to define what banking applications are on the list of goals is complicated, since the HTML is requested varies depending on what applications are installed on the particular device. During our research, we have seen displays false for Commbank, NAB and Westpac Mobile Banking, but also for Facebook, WhatsApp, Instagram, and Google Play.

The credentials entered in the false forms are sent unencrypted to the server of C&C's attacker.
In terms of locking the device, we suspect that enters the scene when one extracts money from the bank accounts involved. Attackers can remotely lock the device with a screen fake that looks like a update, to hide the fraudulent activity and to ensure that victims do not interfere.

To communicate with the C&C, the trojan makes improper use of Firebase Cloud Messages (FCM); this is the first time that we see an Android malware uses this channel of communication.

As we investigate, the app is a modified version of Android/Charger, discovered initially by researchers from Check Point in January 2017. Unlike the first version, which extorsions its victims by locking their devices and demanding the payment of a ransom, the attackers behind the Charger now try their luck with phishing to obtain banking credentials, a development rare in the world of malware for Android.

With their capabilities of display screens login fake and lock computers, Android/Charger.B is also similar to the banking malware that we discovered and discuss in February. What makes this latest discovery more dangerous, however, is the fact that your goal may be updated dynamically, instead of being inserted in the code of the malware, which leaves open the possibility of future misuse.




Can infected your device? How do I clean it?

If you have recently downloaded an application of flashlight from Google Play, verify that it is not this trojan.
The malicious application can be found in Settings → applications Manager → Flashlight Widget

If well-found is simple, uninstall it it is not. The trojan seeks to avoid impeding the victims to turn off the device manager active, something that you need to remove the application. When trying to clear the rights, the pop-up screen will not until you change your mind and click the “activate” button back.

In that case, it can be removed by rebooting the computer in safe mode, which will allow you to follow these two steps to remove the app:






How to protect yourself

To avoid dealing with the consequences of mobile malware, prevention is always the key.

Whenever possible, opt for the stores application in official download apps. Although it is not foolproof, Google Play uses advanced mechanisms of security to avoid malware, which is not necessarily the case in alternative shops.

If you are in doubt about the installation of an application, it checks your popularity by the number of facilities, their qualifications and, what is more important, the content of the comments.

After you run any thing you have installed on your mobile device, pay attention to what permissions and rights requests. If an application requests permissions that don't seem appropriate for their function, such as the rights of device administrator for an app of flashlight, you might want to re-think your choice.

Last, but not least, use a solution of mobile security of good reputation to protect your device from the latest threats.

Sample analyzed

Package name               Hash                                                                                   Detection
com.flashscary.widget     CA04233F2D896A59B718E19B13E3510017420A6D      Android/Charger.B


FAKE FLASHLIGHT, APP, SMARTPHONES, MALWARE, ANDROID, GOOGLE PLAY

Comments

Popular posts from this blog

Twitter: change your profile image by default, the end of snake eggs - "TechnoTron"

WhatsApp: discover if you are spied on when using WhatsApp Web

Windows 10: with Ubuntu Bash Console how to use it - TechnoTron