sb-as logo
Story image

Dangerous Android Trojan masquerades as Flash Player update

22 Feb 2017

 A new Android Trojan has been lurking under a fake app that tries to mimic a Flash Player update, ESET discovered this week.

The Android/TrojanDownloader Agent JI is able to download and execute additional malware, which is capable of emptying bank accounts or conducting ransomware attacks.

The Trojan is delivered through compromised websites such as social media and ‘adult’ sites. ESET says that the Trojan uses ‘safety measures’ as the reason to target users in the fake Flash update.

“This particular Trojan has been built so other malware can be downloaded. When our analysts looked at this downloader, its real payload was designed to steal money from bank accounts. However, it would take only the cybercriminals distributing this downloader to change the payload malware for the user to get served with spyware or ransomware,” says Nick FitzGerald, ESET senior research fellow.

The Flash update screen looks genuine enough, however those that fall for the scam are then prompted of a successful install. The malware then creates a ‘Saving Battery’ service that wants access to permissions in Android’s Accessibility functions.

Those permissions are ‘monitor your actions, retrieve window content and turn on Explore by touch’, all of which enable attackers to copy user clicks and select anything on the screen.

Meanwhile, the Flash malware hides its icon and communicates with the C&C server and provides information about the infected device. The server can then deliver a URL with other malware. The compromised device then shows a fake lock screen with no option to close it, disguising all malicious activity.

ESET provides the following tips for users to find out if they have been infected:

"The key indicator of whether a device has been infected with this malware is the presence of a “Saving Battery” option amongst Services in the Accessibility menu.

Denying the service its permissions will not get rid of Android/TrojanDownloader.Agent.JI. To remove the downloader, try manually uninstalling the app from Settings -> Application Manager -> Flash-Player.

In some instances, the user has been successfully tricked into granting Device administrator rights to the app. In such a case, it is necessary to deactivate the administrator rights first, by going to Settings -> Security -> Flash-Player, before uninstalling."

To avoid infection, Fitzgerald offers some key pointers:

“There is no Adobe Flash Player for Android, so if you have installed one, warned that your version needs updating, or installed that “update”, you should install a security product and scan the whole device, as you have been duped and most likely have something undesirable running on your device.”

  • Use official app stores and trustworthy sources for app downloads and updates
  • Carefully consider what permissions the app is asking for
  • Use mobile security for better protection 
Story image
Aruba updates edge security platform with SD-WAN capabilities
Aruba’s latest iteration of its Edge Services Platform (ESP) has been quick to make use of HPE’s acquisition of Silver Peak in September last year.More
Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
Mobile devices biggest enterprise security threat - report
Businesses have left themselves vulnerable and open to cyber criminals in the rush to ensure their workforce could operate remotely during the Covid-19 pandemic.More
Story image
Enterprises underutilising security tools, causing teams to burn out
The report unveiled a lack of meaningful ROI metrics when reporting on security progress, as well as disparate opinions on objectives, tool effectiveness and security awareness amongst the organisation between executives and operations on security teams.More
Story image
Software-based facial recognition in payments industry to dominate by 2025
There will be more than 1.4 billion users of facial recognition software used for payments alone in 2025, up from 671 million in 2020.More
Story image
WatchGuard uncovers top cyber threat trends of Q4 2020
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections."More