{"id":399,"date":"2017-04-25T17:27:49","date_gmt":"2017-04-25T17:27:49","guid":{"rendered":"https:\/\/eset-blog.aist.fun\/turn-the-light-on-and-give-me-your-passwords\/"},"modified":"2019-05-29T12:18:56","modified_gmt":"2019-05-29T12:18:56","slug":"turn-the-light-on-and-give-me-your-passwords","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2017\/04\/25\/turn-the-light-on-and-give-me-your-passwords\/","title":{"rendered":"Turn the light on and give me your passwords!"},"content":{"rendered":"

Android users were the target of another banking malware with screen locking capabilities, masquerading as a flashlight app on Google Play. Unlike other banking trojans with a static set of targeted banking apps, this trojan is able to dynamically adjust its functionality.<\/p>\n

Aside from delivering promised flashlight functionality, the remotely controlled trojan comes with a variety of additional functions aimed at stealing victims\u2019 banking credentials. Based on commands from its C&C server, the trojan can display fake screens mimicking legitimate apps, lock infected devices to hide fraudulent activity and intercept SMS and display fake notifications in order to bypass two-factor authentication.<\/p>\n

The malware can affect all versions of Android. Because of its dynamic nature, there might be no limit to targeted apps \u2013 the malware obtains HTML code based on apps installed on the victim\u2019s device and uses the code to overlay the apps with fake screens after they\u2019re launched.<\/p>\n

The trojan, detected by ESET as Trojan.Android\/Charger.B<\/em>, was uploaded to Google Play on March 30 and was installed by up to 5,000 unsuspecting users before being pulled from the store on ESET\u2019s notice on April 10. <\/strong><\/p>\n

\n

\"Flashlight\"<\/p>\n

Figure 1 \u2013 The trojan on Google Play<\/p>\n<\/div>\n

How does it operate?<\/strong><\/h2>\n

As soon as the app is installed and launched, it requests device administrator rights. Users with Android 6.0 and above also need to manually permit usage access and drawing over other apps. With the rights and permissions granted, the app hides its icon, appearing on the device only as a widget.<\/p>\n

The actual payload is encrypted in the assets of the APK file installed from Google Play, evading detection of its malicious functionality. The payload is dropped, decrypted and executed when the victim runs the app.<\/p>\n

The trojan first registers the infected device to the attackers\u2019 server. Apart from sending device information and a list of installed applications, the malware gets up close and personal with its victims \u2013 it also attaches a picture of the device owner taken by the front camera.<\/p>\n

If the sent information indicates the device is located in Russia, Ukraine or Belarus, the C&C commands the malware to stop its activity \u2013 most likely to avoid prosecution of the attackers in their home countries.<\/p>\n

Based on the apps found installed on the infected device, the C&C sends corresponding fake activity in the form of a malicious HTML code. The HTML is displayed in WebView after the victim launches one of the targeted apps. Legitimate activity is then overlaid by a fake screen requesting a victim\u2019s credit card details or banking app credentials.<\/p>\n

However, as mentioned before, specifying what apps qualify as \u201ctargeted\u201d is tricky, as the requested HTML varies based on what apps are installed on the particular device. During our research, we\u2019ve seen fake screens for Commbank, NAB and Westpac Mobile Banking, but also for Facebook, WhatsApp, Instagram and Google Play.<\/p>\n

The credentials inserted into the fake forms are sent unencrypted to the attackers\u2019 C&C server.<\/p>\n

As for the device locking, we suspect this function enters the picture when cashing out the compromised bank accounts. The attackers can remotely lock devices with a fake update lookalike screen to hide fraudulent activity from victims, as well as to ensure they can\u2019t interfere.<\/p>\n

\n

\"Flashlight\"<\/p>\n

Figure 2 \u2013 Fake screens mimicking apps found on infected device<\/p>\n<\/div>\n

\n

\"Flashlight\"<\/p>\n

Figure 3 \u2013 Fake system screen used to lock infected device<\/p>\n<\/div>\n

To communicate with C&C, the trojan misuses Firebase Cloud Messages (FCM), which is the first time we\u2019ve seen Android malware using this communication channel.<\/p>\n

Based on our research, the app is a modified version of Android\/Charger<\/em>, first discovered by Check Point researchers in January 2017<\/a>. Unlike the first version that primarily extorted victims by locking their devices and demanding a ransom, the attackers behind Charger are now trying their luck with phishing for banking credentials \u2013 an evolution rather rare in the world of Android malware.<\/p>\n

With its fake login screens and locking capabilities, Android\/Charger.B <\/em>also bears some resemblance to the banking malware<\/a> we discovered and analyzed in February. What makes this latest discovery more dangerous, however, is the fact that its target can be dynamically updated, as opposed to being hardcoded in the malware \u2013 opening unlimited options for future misuse.<\/p>\n

Has my device been infected? How do I clean it?<\/strong><\/h2>\n

If you\u2019ve recently downloaded a Flashlight app from Google Play, you might want to check if you haven\u2019t accidentally reached for this trojan.<\/p>\n

The malicious app can be found in Setting > Application Manager\/Apps > Flashlight Widget.<\/p>\n

\n

\"Flashlight\"<\/p>\n

Figure 4 \u2013 The malicious app in Application manager<\/p>\n<\/div>\n

While locating the app is simple, uninstalling it is not. The trojan tries to prevent this by not allowing victims to turn off the active device administrator \u2013 a necessary step for removing the app. When trying to deactivate the rights, the pop-up screen doesn\u2019t go away until you change your mind and click \u201cactivate\u201d again.<\/p>\n

In such a case, the app can be uninstalled by booting your device into Safe mode, which will enable you to go through the following two steps to remove the malicious app.<\/p>\n

See video below for instructions:<\/p>\n