Remove Flashlight LED Widget Banking Trojan App - How to, Technology and PC Security Forum |

Remove Flashlight LED Widget Banking Trojan App

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created to help you remove Flashlight LED Widget app that is actually malicious banking trojan that targets banking apps and may display phishing screens.

A remotely operated Trojan horse pretending to be a Flashlight application for Android devices has been reported to gain popularity and infect more devices. The trojan is able to display fake duplicate screens that appear to be the same as the ones on legitimate applications in order to intercept and steal information. This new type of phishing technique has been reported to be widely used and be the new trend in banking malware.

Threat Summary


Flashlight LED Widget

TypeAndroid Banking Trojan
Short DescriptionUses a fake app to display duplicate login screens of legitimate applications and sniff out information this way.
SymptomsHaving an app, called Flashlight LED Widget.
Distribution MethodMalicious third-party apps or Google Play Store.
Protection Tool See If Your System Has Been Affected by Flashlight LED Widget



User ExperienceJoin our forum to Discuss El Gato Ransowmare.

Flashlight Banking Trojan – Distribution

One very important method of distribution used by the hackers who spread this trojan is by uploading seemingly legitimate widgets and apps on Google Play store with malware embedded in them. The apps themselves are not malicious and they may do as promised, however this particular Flashlight LED Widget connects to a command and control server of the cyber-criminals after requesting administrative permissions from the Android user. Such permissions even allow the app to hide it’s icon from the device, preventing it’s uninstall via this method.

Android Flashlight Banking Trojan – How Does It Work?

Once the app infects an Android device, the payload is contained in encrypted format within the APK package file which the victim installs from the Google Play store. This payload code is obfuscated and cannot be detected. But once the application is installed, the code is unpacked and unlocked.

The first thing this trojan does is to connect to the server of the cyber-criminal behind it, sending important details of the device. It also takes a snapshot on your front camera to see who you are.

What is interesting is that if the device detects the victim is from Russia or former Soviet Union countries, including Ukraine and Belarus, it shuts down. This tactic is believed to be performed because the attackers may claim afterwards they have not infected their own countries.

In addition to those activities, the fake Flashlight LED Widget malware also sends information in a HTML code which is displayed in WebView. This means that as soon as the affected user opens a new application, the application that is original is replaced with a duplicate screen that requests victims to enter their personal credentials such as their PayPal password and username, for example. Malware researchers at WeLiveSecurity have identified that there is difference between the legitimate and fake screen, even though it is minimal:

Source: WeLiveSecurity

But this is not all, the malware can also lock the screen on your phone, similar to what mobile ransomware infections, like El Gato Android ransomware( does.

Remove Flashlight Widget Banking Malware from Your Android Device

In order to make sure that your device is safe, the first step that you should take is to change all of your passwords for the apps used on your Android device from another, safe device. Then, we advise you to backup your phone’s data and then follow the instructions below to factory reset it and reinstall all the Android APK components that are default, anew.

And in the future we advise you to use better protection against privacy invasive apps and malware, like BetterGuard, for example.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share