Researchers have discovered a new app targeting Android devices, capable of downloading and executing additional malware. Users who install the malware might find their mobile devices held ransom or bank accounts emptied.
Detected by ESET security software as Android/TrojanDownloader.Agent.JI, the Trojan is distributed via compromised websites, including adult video sites and social media, and masquerades as a Flash Player update.
Following installation, the malware creates a fake ‘Saving Battery’ service in the Android system and urges the victim to grant crucial permissions within Android’s Accessibility functions. Once granted, these permissions – Monitor your actions, Retrieve window content and Turn on Explore by Touch – all crucial for future malicious activity, enable the attacker to mimic the user’s clicks and select anything displayed on their screen.
Once the service is enabled, the fake Flash Player icon hides from the user. However, in the background, the malware contacts its C&C server and provides it with information about the attacked device. The server responds with a URL leading to a malicious app of the cybercriminals’ choice – in the analysed case, malware. After acquiring the malicious link, the compromised device displays a bogus lock screen with no option to close it, covering the ongoing malicious activity beneath it.
How to know you’ve been infected and what to do
The key indicator of whether a device has been infected with this malware is the presence of a ‘Saving Battery’ option amongst Services in the Accessibility menu.
Denying the service its permissions will not get rid of Android/TrojanDownloader.Agent.JI. To remove the downloader, try manually uninstalling the app from Settings -> Application Manager -> Flash-Player.
In some instances, the user has been successfully tricked into granting Device administrator rights to the app. In such a case, it is necessary to deactivate the administrator rights first, by going to Settings -> Security -> Flash-Player, before uninstalling.
Senior Research Fellow at ESET, Nick FitzGerald told Women Love Tech this particular Trojan has been built so other malware can be downloaded.
“When our analysts looked at this downloader, its real payload was designed to steal money from bank accounts. However, it would take only the cybercriminals distributing this downloader to change the payload malware for the user to get served with spyware or ransomware,” FitzGerald said.
“There is no Adobe Flash Player for Android, so if you have installed one, warned that your version needs updating, or installed that ‘update’, you should install a security product and scan the whole device, as you have been duped and most likely have something undesirable running on your device. Here are some basic recommendations I would follow to prevent further infection:
- Only download apps or updates from official stores and trustworthy sources.
- Take a detailed look at what permissions and rights you are granting to your apps.
- Use a reputable mobile security solution for better protection.
Check out more information on welivesecurity website.