{"id":383,"date":"2017-02-14T15:19:49","date_gmt":"2017-02-14T15:19:49","guid":{"rendered":"https:\/\/eset-blog.aist.fun\/new-android-trojan-mimics-user-clicks-to-download-dangerous-malware\/"},"modified":"2019-05-29T12:13:24","modified_gmt":"2019-05-29T12:13:24","slug":"new-android-trojan-mimics-user-clicks-to-download-dangerous-malware","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2017\/02\/14\/new-android-trojan-mimics-user-clicks-to-download-dangerous-malware\/","title":{"rendered":"New Android trojan mimics user clicks to download dangerous malware"},"content":{"rendered":"
\n
\n

Android users have been exposed to a new malicious app imitating Adobe Flash Player that serves as a potential entrance for many types of dangerous malware. The application, detected by ESET security software as Android\/TrojanDownloader.Agent.JI, tricks its victims into granting it special permissions in the Android accessibility menu and uses these to download and execute additional malware of the attackers\u2019 choice.<\/p>\n

According to our analysis, the trojan targets devices running Android, including the latest versions. It is distributed via compromised websites \u2013 adult video sites, but also via social media. Under the pretense of safety measures, the websites lure users into downloading a fake Adobe Flash Player update. If victims fall for the legitimate-looking update screen and runs the installation, they have more deceptive screens to look forward to.<\/p>\n

\n

<\/p>\n

Figure 1: Fake Flash Player update screen<\/p>\n<\/div>\n

How does it work?<\/strong><\/h2>\n
The next phony screen pops up following successful installation, claiming \u201ctoo much consumption of energy\u201d and urging the user to turn on a fake \u201cSaving Battery\u201d mode. Like most malicious pop ups, the message won\u2019t stop appearing until the victim gives in and agrees to enable the service. This opens the Android Accessibility menu, showing a list of services with accessibility functions. Among the legitimate ones, a new service (created by the malware during installation) named \u201cSaving battery\u201d appears. The service then requests permissions to Monitor your actions<\/em>, Retrieve window content<\/em> and Turn on Explore by Touch<\/em> \u2013 all crucial for future malicious activity, enabling the attacker to mimic the user\u2019s clicks and select anything displayed on their screen.<\/div>\n
\n

<\/p>\n

Figure 2: Pop-up screen requesting \u201cSaving Battery\u201d after install<\/p>\n<\/div>\n

\n

\"\"<\/p>\n

Figure 3: Android Accessibility menu with the malicious service<\/p>\n<\/div>\n

\n

<\/p>\n

Figure 3: Android Accessibility menu with the malicious service<\/p>\n<\/div>\n

Once the service is enabled, the fake Flash Player icon hides from the user. However, in the background, the malware is busy contacting its C&C server and providing it with information about the compromised device. The server responds with a URL leading to a malicious app of the cybercriminal\u2019s choice \u2013 in the detected case, banking malware (though it could be any malware ranging from adware through spyware, and on to ransomware). After acquiring the malicious link, the compromised device displays a bogus lock screen with no option to close it, covering the ongoing malicious activity beneath it.<\/p>\n

\n

<\/p>\n

Figure 5: Lock screen covering malicious activity<\/p>\n<\/div>\n

This is when the permission to mimic the user\u2019s clicks comes in handy \u2013 the malware is now free to download, install, execute and activate device administrator rights for additional malware without the user\u2019s consent, all while remaining unseen under the fake lock screen. After the app\u2019s secret shenanigans are done, the overlay screen disappears and the user is able to resume using the mobile device \u2013 now compromised by the downloaded malware.<\/p>\n

Has my device been infected? How do I clean it?<\/strong><\/h2>\n

If you think you might have installed this fake Flash Player update in the past, you can easily verify by checking for \u2018Saving Battery\u2019 under Services in the Accessibility menu. If listed under the services, your device may very well be infected.<\/p>\n

Denying the service its permissions will only bring you back to the first pop up screen and will not get rid of Android\/TrojanDownloader.Agent.JI.<\/p>\n

To remove the downloader, try manually uninstalling the app from Settings -> Application Manager -> Flash-Player.<\/p>\n

In some instances, the downloader also requests that the user activate Device administrator rights. If that turns out to be the case and you can\u2019t uninstall the app, deactivate the administrator rights by going to Settings -> Security -> Flash-Player and then proceed with uninstalling.<\/p>\n

Even after doing so, your device might still be infected by countless malicious apps installed by the downloader. To make sure your device is clean, we recommend using a reputable mobile security app as a hassle-free way to detect and remove threats. <\/em><\/strong><\/p>\n

How to stay safe <\/strong><\/h2>\n

To avoid dealing with the consequences of nasty mobile malware, prevention is always the key. Apart from sticking to trustworthy websites, there are a couple more things you can do to stay safe.<\/p>\n

If you\u2019re downloading apps or updates in your browser, always check the URL address to make sure you\u2019re installing from the intended source. In this particular case, the only safe place to get your Adobe Flash Player update is from the official Adobe website.<\/p>\n

After running anything you\u2019ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for permissions that don\u2019t seem appropriate to its function, don\u2019t enable these without double checking.<\/p>\n

Last but not least, even if all else fails, a reputable mobile security solution will protect your device from active threats.<\/p>\n

If you\u2019d like to find out more about Android-based malware, look into our latest research<\/a> on the topic. You\u2019re also welcome to stop by ESET\u2019s stand at this year\u2019s Mobile World Congress<\/a>.<\/p>\n

Video capture from an infected device (time edited)<\/strong><\/h2>\n