Flashlight App on Google Play Spreads Banking Malware
Android users were the target of another banking malware, detected by ESET, with screen locking capabilities, masquerading as a flashlight app on Google Play. Unlike other banking trojans with a static set of targeted banking apps, this trojan is able to dynamically adjust its functionality. Aside from delivering promised flashlight functionality, the remotely controlled trojan comes with a variety of additional functions aimed at stealing victims' banking credentials. Based on commands from its C&C server, the trojan can display fake screens mimicking legitimate apps, lock infected devices to hide fraudulent activity and intercept SMS and display fake notifications in order to bypass 2-factor-authentication. The malware obtains HTML code based on apps installed on the victim's device and uses the code to overlay the apps with fake screens after they're launched. The trojan tries to prevent getting uninstalled by not allowing victims to turn off the active device administrator.