I turn on the light, and give me your passwords! False lantern hides on Google Play - "TechnoTron"


FAKE FLASHLIGHT

A banking malware with the capabilities of screen lock was pointing to Android users, by pretending to be a application with function of flashlight available on Google Play. Unlike other banking trojans, which are a set of banking applications such as aim, this is able to adjust its functionality in a dynamic way.

In addition to providing the promised functionality of the flashlight, the threat, controlled in a remote way, comes with a variety of additional functions that are looking to steal banking credentials from victims. On the basis of the commands on your server of C&C, the trojan can display screens fake that mimic legitimate applications, block infected devices to hide the fraudulent activity, intercept SMS messages, and display notifications to false to avoid the double authentication.

The malware can affect all the versions of Android. Due to its dynamic nature, it may not be a limit to the apps lens; the threat gets HTML code based on the applications installed on the device of the victim and uses it to cover them with screens false then they are executed.

The trojan, detected by ESET as a Trojan.Android/Charger.B, climbed to the Google Play on the 30th of march and was installed for up to 5,000 unsuspecting users before being removed from the store, after the notice of ESET the 10 of April.

FAKE FLASHLIGHT, APP, SMARTPHONES, MALWARE, ANDROID, GOOGLE PLAY

flashlight led widget



How it operates?

Just installed and is running, the app requests permissions from device administrator. Users with Android 6.0 and later versions must, in addition, allow you to manually access and use the overlay on other applications. With the rights and permissions obtained, the application hides its icon and appears in the team only as a widget.

The payload is encrypted in the resources in the APK installed from Google Play, eluding detection of its malicious feature. This malicious payload is decrypted and executed when the victim opens the application.
First, the trojan registers the infected device in the server of the attacker. In addition to sending information to the computer and a list of the apps you have installed, the malware looks for to better know their victims, since they also attach a photo of yourself taken with the front camera of the device.

If the information submitted indicates that you are located in Russia, Ukraine or Belarus, the C&C instructs the malware to stop its activity, probably to avoid the persecution of the attackers in their own countries.
Depending on the applications they find on the infected computer, the C&C sends the activity to false in the form of HTML code in malicious, which is shown in WebView after which the victim is running one of the apps of the list of targets. A screen false overlaps the legitimate activity and asks for the details of the credit card of the user, or their access credentials for a particular banking application.

However, as we mentioned before, to define what banking applications are on the list of goals is complicated, since the HTML is requested varies depending on what applications are installed on the particular device. During our research, we have seen displays false for Commbank, NAB and Westpac Mobile Banking, but also for Facebook, WhatsApp, Instagram, and Google Play.

The credentials entered in the false forms are sent unencrypted to the server of C&C's attacker.
In terms of locking the device, we suspect that enters the scene when one extracts money from the bank accounts involved. Attackers can remotely lock the device with a screen fake that looks like a update, to hide the fraudulent activity and to ensure that victims do not interfere.

To communicate with the C&C, the trojan makes improper use of Firebase Cloud Messages (FCM); this is the first time that we see an Android malware uses this channel of communication.

As we investigate, the app is a modified version of Android/Charger, discovered initially by researchers from Check Point in January 2017. Unlike the first version, which extorsions its victims by locking their devices and demanding the payment of a ransom, the attackers behind the Charger now try their luck with phishing to obtain banking credentials, a development rare in the world of malware for Android.

With their capabilities of display screens login fake and lock computers, Android/Charger.B is also similar to the banking malware that we discovered and discuss in February. What makes this latest discovery more dangerous, however, is the fact that your goal may be updated dynamically, instead of being inserted in the code of the malware, which leaves open the possibility of future misuse.




Can infected your device? How do I clean it?

If you have recently downloaded an application of flashlight from Google Play, verify that it is not this trojan.
The malicious application can be found in Settings → applications Manager → Flashlight Widget

If well-found is simple, uninstall it it is not. The trojan seeks to avoid impeding the victims to turn off the device manager active, something that you need to remove the application. When trying to clear the rights, the pop-up screen will not until you change your mind and click the “activate” button back.

In that case, it can be removed by rebooting the computer in safe mode, which will allow you to follow these two steps to remove the app:






How to protect yourself

To avoid dealing with the consequences of mobile malware, prevention is always the key.

Whenever possible, opt for the stores application in official download apps. Although it is not foolproof, Google Play uses advanced mechanisms of security to avoid malware, which is not necessarily the case in alternative shops.

If you are in doubt about the installation of an application, it checks your popularity by the number of facilities, their qualifications and, what is more important, the content of the comments.

After you run any thing you have installed on your mobile device, pay attention to what permissions and rights requests. If an application requests permissions that don't seem appropriate for their function, such as the rights of device administrator for an app of flashlight, you might want to re-think your choice.

Last, but not least, use a solution of mobile security of good reputation to protect your device from the latest threats.

 Sample analyzed

 Package name               Hash                                                                                   Detection
com.flashscary.widget     CA04233F2D896A59B718E19B13E3510017420A6D      Android/Charger.B


FAKE FLASHLIGHT, APP, SMARTPHONES, MALWARE, ANDROID, GOOGLE PLAY

Comments

Post a Comment

Popular posts from this blog

Twitter: change your profile image by default, the end of snake eggs - "TechnoTron"

Image
Twitter: change your profile image by default TWITTER, TRENDS, SOCIAL NETWORKS, INTERNET, TECHNOLOGY The image of an egg that was assigned to new comers to the social network became synonymous with accounts created for the purpose of attacking others from anonymity. After having been replaced as the solution to the problem is still far. Since 2010, the default image that appeared in the new profiles of Twitter was a white egg, accompanied by a different background for each account. An entry of the blog you write responsible for the layout of the page, explains how the people who use the network to attack other users motivated change that image and the process that led to the gray silhouette that now replaces it. The idea behind the image that represents the rookies in the social network was simple: eggs were a temporary measure until the users choose an image that would be identified. It is positioning that after leaving the eggs, the users were as birds that fed
Keep reading

WhatsApp: discover if you are spied on when using WhatsApp Web

Image
Index : Prologue 1.- WhatsApp Web, a tool that is too quiet 2.- How to protect your account from WhatsApp so no one can spy on web Prologue " WhatsApp Web goes well to use the messaging on the computer, but it is easy to spy on another person if you are logged in the browser with your mobile phone. Avoid this. "   The messaging application for excellence not only drag behind itself a huge popularity, a huge amount of controversy. Security, partnerships with Facebook... And a large number of users they see violating your privacy for couples, friends, family... that try to spy on their conversations. Spy on WhatsApp is one of the most common. And it is because it is in this application where we turned over our side more intimate. The worst thing is that it is quite easy to gain access to the conversations of another person with WhatApp Web . The company added few months ago a notification when you use the session in another part, but can be overlook
Keep reading

Windows 10: with Ubuntu Bash Console how to use it - TechnoTron

Image
Posted by: TechnoTron 2/28/2017 Source:     Xataka                                                                                                                                                     In April 2016 Microsoft had announced one of the great new features of Windows 10: the possibility of using a Linux console natively in this operating system thanks to the collaboration of Canonical, the company responsible for the development of Ubuntu. That option is available thanks to the arrival of the compilation 14316 of Windows 10, in which apart from other news we can start using the bash console of Ubuntu directly in Windows 10. If you are Windows Insiders and you are inside the ring of quick updates, You can now apply that update and enjoy that console easily. This has been our experience in taking advantage of this feature.
Read more