A remotely operated Trojan horse pretending to be a Flashlight application for Android devices has been reported to gain popularity and infect more devices. The trojan is able to display fake duplicate screens that appear to be the same as the ones on legitimate applications in order to intercept and steal information. This new type of phishing technique has been reported to be widely used and be the new trend in banking malware.
Flashlight LED Widget
|Type||Android Banking Trojan|
|Short Description||Uses a fake app to display duplicate login screens of legitimate applications and sniff out information this way.|
|Symptoms||Having an app, called Flashlight LED Widget.|
|Distribution Method||Malicious third-party apps or Google Play Store.|
See If Your System Has Been Affected by malware
|User Experience||Join our forum to Discuss El Gato Ransowmare.|
Flashlight Banking Trojan – Distribution
One very important method of distribution used by the hackers who spread this trojan is by uploading seemingly legitimate widgets and apps on Google Play store with malware embedded in them. The apps themselves are not malicious and they may do as promised, however this particular Flashlight LED Widget connects to a command and control server of the cyber-criminals after requesting administrative permissions from the Android user. Such permissions even allow the app to hide it’s icon from the device, preventing it’s uninstall via this method.
Android Flashlight Banking Trojan – How Does It Work?
Once the app infects an Android device, the payload is contained in encrypted format within the APK package file which the victim installs from the Google Play store. This payload code is obfuscated and cannot be detected. But once the application is installed, the code is unpacked and unlocked.
The first thing this trojan does is to connect to the server of the cyber-criminal behind it, sending important details of the device. It also takes a snapshot on your front camera to see who you are.
What is interesting is that if the device detects the victim is from Russia or former Soviet Union countries, including Ukraine and Belarus, it shuts down. This tactic is believed to be performed because the attackers may claim afterwards they have not infected their own countries.
In addition to those activities, the fake Flashlight LED Widget malware also sends information in a HTML code which is displayed in WebView. This means that as soon as the affected user opens a new application, the application that is original is replaced with a duplicate screen that requests victims to enter their personal credentials such as their PayPal password and username, for example. Malware researchers at WeLiveSecurity have identified that there is difference between the legitimate and fake screen, even though it is minimal:
But this is not all, the malware can also lock the screen on your phone, similar to what mobile ransomware infections, like El Gato Android ransomware(https://sensorstechforum.com/remove-el-gato-android-ransomware-restore-locked-devices/) does.
Remove Flashlight Widget Banking Malware from Your Android Device
In order to make sure that your device is safe, follow the instructions below.