A banking Trojan targeting Android phones has been discovered on Google Play by ESET, an anti-virus internet security company.
The malicious app, which masquerades as a flashlight app, has already been downloaded by over 5,000 users. The key aim of the Trojan is to steal banking credentials, with major banks including Commbank, NAB and Westpac found to have been targeted.
ESET says the Trojan is particularly advanced. It has the ability to target a potentially unlimited number of apps and also has screen locking capabilities. The below picture is what the fake app looks like in Google Play.
After downloading the fake app it requests device administrator rights and then, when granted, hides its icon so it only appears on the infected device as a widget.
The Trojan then registers the infected device with the attacker's central server, sending device information and a list of apps installed. If that’s not creepy enough, the Trojan even sends a photo of the device owner taken by the front camera to the attacker.
When the victim opens one of their banking apps, the Trojan uploads a fake screen requesting the user to enter their banking credentials and credit card information, which is then sent to the attacker. The below picture shows the fake screens targeting Commbank customers.
In addition to the banks mentioned above, ESET also found fake screens for Facebook, WhatsApp, Instagram and Google Play.
The Trojan also has the ability to remotely lock the devices screen and display a fake Android update lookalike screen, most likely when the attacker is clearing the victim's bank accounts.
The Trojan was available to download on Google Play between 30 March and 10 April 2017. To check if your device has been infected, go into Settings and check in your Application Manager/Apps to see if the flashlight widget is listed.
The app can be uninstalled by booting your device into Safe mode, which will enable you to go through the two steps of removing the malicious app.
