Home > HOW TO GUIDES > Remove Flashlight LED Widget Banking Trojan App

Remove Flashlight LED Widget Banking Trojan App

This article has been created to help you remove Flashlight LED Widget app that is actually malicious banking trojan that targets banking apps and may display phishing screens.

A remotely operated Trojan horse pretending to be a Flashlight application for Android devices has been reported to gain popularity and infect more devices. The trojan is able to display fake duplicate screens that appear to be the same as the ones on legitimate applications in order to intercept and steal information. This new type of phishing technique has been reported to be widely used and be the new trend in banking malware.

Threat Summary


Flashlight LED Widget

Type Android Banking Trojan
Short Description Uses a fake app to display duplicate login screens of legitimate applications and sniff out information this way.
Symptoms Having an app, called Flashlight LED Widget.
Distribution Method Malicious third-party apps or Google Play Store.
Protection Tool See If Your System Has Been Affected by malware



User Experience Join our forum to Discuss El Gato Ransowmare.

Flashlight Banking Trojan – Distribution

One very important method of distribution used by the hackers who spread this trojan is by uploading seemingly legitimate widgets and apps on Google Play store with malware embedded in them. The apps themselves are not malicious and they may do as promised, however this particular Flashlight LED Widget connects to a command and control server of the cyber-criminals after requesting administrative permissions from the Android user. Such permissions even allow the app to hide it’s icon from the device, preventing it’s uninstall via this method.

Android Flashlight Banking Trojan – How Does It Work?

Once the app infects an Android device, the payload is contained in encrypted format within the APK package file which the victim installs from the Google Play store. This payload code is obfuscated and cannot be detected. But once the application is installed, the code is unpacked and unlocked.

The first thing this trojan does is to connect to the server of the cyber-criminal behind it, sending important details of the device. It also takes a snapshot on your front camera to see who you are.

What is interesting is that if the device detects the victim is from Russia or former Soviet Union countries, including Ukraine and Belarus, it shuts down. This tactic is believed to be performed because the attackers may claim afterwards they have not infected their own countries.

In addition to those activities, the fake Flashlight LED Widget malware also sends information in a HTML code which is displayed in WebView. This means that as soon as the affected user opens a new application, the application that is original is replaced with a duplicate screen that requests victims to enter their personal credentials such as their PayPal password and username, for example. Malware researchers at WeLiveSecurity have identified that there is difference between the legitimate and fake screen, even though it is minimal:

Source: WeLiveSecurity

But this is not all, the malware can also lock the screen on your phone, similar to what mobile ransomware infections, like El Gato Android ransomware(https://sensorstechforum.com/remove-el-gato-android-ransomware-restore-locked-devices/) does.

Remove Flashlight Widget Banking Malware from Your Android Device

In order to make sure that your device is safe, follow the instructions below.

Ventsislav Krastev

Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share