Flashlight app on Google Play delivered highly adaptable banking Trojan

A modified version of the Charger mobile ransomware has been downloaded from Google Play by up to 5,000 users.

This new variant of the malware was shipped inside a legitimate-looking flashlight app called “Flashlight LED Widget” and, unlike its predecessor, locking the device and demanding a ransom from the user in order to unlock it is not its main goal.

Charger.B: A highly flexible credential stealer

The threat was spotted by ESET researchers, who notified Google and got the app pulled from Google Play some ten days ago.

According to their analysis, the malware works on all Android versions, and is able to minimize its visibility on the infected phones, display fake (phishing) screens mimicking legitimate apps, intercept text messages, and temporarily lock the device to prevent victims from interfering with the crooks’ fraudulent activity.

There are also several unusual things about Charger.B: it uses Firebase Cloud Messages (FCM) to communicate with the C&C server, it sends a picture of the device owner taken by the front camera to the C&C server, and it doesn’t have a static set of targeted banking apps.

“Based on the apps found installed on the infected device, the C&C sends corresponding fake activity in the form of a malicious HTML code. The HTML is displayed in WebView after the victim launches one of the targeted apps. Legitimate activity is then overlaid by a fake screen requesting a victim’s credit card details or banking app credentials,” the researchers explained.

“However, specifying what apps qualify as ‘targeted’ is tricky, as the requested HTML varies based on what apps are installed on the particular device. During our research, we’ve seen fake screens for Commbank, NAB and Westpac Mobile Banking, but also for Facebook, WhatsApp, Instagram and Google Play.”

This feature opens unlimited options for future misuse.

Finally, the locking capability is believed to be used as a diversion while the crooks are emptying victims’ bank accounts. The screen shown to the victims implies that the device’s software is being updated, and that’s why they can’t use the device at that moment:

flashlight-app-trojan

How to remove the malware?

The fake app’s icon is not visible on the main screen/menu, but only as a widget (in Settings > Application Manager/Apps).

Users who have installed the fake app (and, consequently, the malware) were asked to give the app device administrator rights and, on Android 6.0 and above, permission to draw over other apps. The Trojan uses the former to try to prevent getting uninstalled by not allowing victims to turn off the active device administrator.

Victims will have to use an alternative method, helpfully explained in this video: