If you/ve recently installed a Flash Player Android app and now almost every app you open asks you for your payment card details, you’ve been infected with a banking Trojan.
It is unclear where the fake, malicious Flash Player can be downloaded from, but it’s likely one or more third-party apps stores popular around the world.
What is clear is that the app is bad news. Once victims install and run it, it will push them to grant it device administrator rights via a fake Google Play service, and it then will “disappear” into the background and kick into action each time they open one of 94 different mobile banking apps or a number of other popular social networking or messaging apps (WhatsApp, Twitter, Facebook, Skype, Snapchat, etc.)
The full list of banking apps it targets can be had from this blog post by Fortinet researcher Kai Lu, who analyzed the malware. Mostly, it’s apps from large banks in the US, Australia, Austria, Germany, France, Turkey, and Poland.
Once one of those apps is opened, the malware will ask for more than just payment card details – it will also go after online banking credentials.
The malware performs its phishing routine by overlaying a screen with the fake forms and stolen graphics over the legitimate app.
It is also capable of intercepting SMS communications, to help criminals bypass SMS-based two-factor authentication, read users’ contacts, Web bookmarks and history, prevent the phone from sleeping, and so on.
Uninstalling the malware/fake app is easy, if you know how.
“The user can disable the device administrator rights in Settings -> Security -> Device administrators -> Google Play Service -> Deactivate and then uninstall the fake ‘Flash Player’ via Settings -> Apps -> Flash-Player-update -> Uninstall,” Lu advises.
Unfortunately, if you have already shared payment card information and/or banking credentials when prompted by the malware, you’ll need to contact your bank/payment card issuer to revoke them and issue you new ones.
If you’re lucky, criminals have not managed to misuse the stolen information in the meantime.