Fake Android Flash Player App Malware Targeting Banks, Social Media
A new Android banking Trojan has surfaced and gripped the entire banking industry across the US and Europe by appearing as a Flash Player App.

The Trojan has already targeted the customers of around 94 major banking and financial apps in US and Europe including Santander, Coinbase, American Express, PayPal, Deutsche Bank, Credit Karma and Wells Fargo, etc. This is a very sophisticated and advanced piece of malware, which is quite dangerous as well because it can easily evade the SMS-based two-factor authentication system.

ALSO READ: SPYNOTE TROJAN (RAT); YET ANOTHER BAD NEWS FOR ANDROID USERS

According to Kai Lu, a security researcher at Fortinet, users who actively use banking applications on their mobiles need to remain cautious and beware of this new malware campaign. Lu stated that:

“This banking malware can steal login credentials from 94 different mobile banking apps.”

Here is how it attacks:

When installed, the fake Flash Player app appears at the launcher and shows a screen overlapping all the other apps. When the user clicks on Cancel, this view disappears only to restart again. It always remains on top of your display screen. When the user clicks on Activate button for deleting the request, the Trojan receives device administrator rights. The Flash Player icon then disappears but in the background the Trojan remains active. After gaining administrator rights, the self-defense mechanism of the malware prevents it from getting uninstalled.

android-malware-flash-player-app-hits-banks-social-media-inside-2
Screenshot of fake Flash Player on Google Play

This banking malware is capable of targeting various popular social media apps as well including Google Play Store, Facebook,Facebook Messenger, Calculator, Whatsapp, Twitter, Snapchat, Skype, Instagram and Viber.

android-malware-flash-player-app-hits-banks-social-media-inside
List of apps targeted by this trojan

This malware can also intercept SMS messages and this is why it is believed to have the capability of bypassing SMS-based two-factor authentication mechanism. It can also send and upload SMS messages along with running a factory reset and collecting sensitive information like the IMEI code of the device, ISO country code, phone’s model/build, phone number. The information is later sent to the trojan’s command-and-control server.

ALSO READ: 7 EASY TIPS TO STRONG ANDROID SECURITY AGAINST HACKS

Lu analyzed that the banks targeted through this Trojan are located in “the United States, Germany, France, Australia, Turkey, Poland and Austria.”

Using a fake login window, the malware also tricks the user into entering login credentials for the apps installed on the device and the information is transferred to the C&C server.

The good news is that this Trojan can be removed by manually disabling the malware’s administrative rights using: Settings>Security>Device Administrators>Google Play Services>Deactivate.

ALSO READ: NEW LOCKSCREEN RANSOMWARE TARGETING ANDROID DEVICES

When the rights of admin are deactivated, the user can find Flash Player update and uninstall it.

SourceFortinet
Image SourcePixaBay/Mammela

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is ‘Do my best, so that I can’t blame myself for anything.’