A malware downloader targeting Android users is pretending to be and Adobe Flash Player update, researchers said.
Although the Flash Player for Android discontinued almost 5 years ago, attackers still want to leverage any possibility to victimize users into downloading and installing their malicious programs, said ESET researchers.
Attackers rely on user’s willingness to download and install a fake update when presented with a legitimate looking update.
Called Android/TrojanDownloader.Agent.JI, the newly discovered threat uses this technique to infect the devices of users navigating social media or adult sites, Lukas Stefanko of ESET said in a blog post.
“The Trojan targets devices running Android, including the latest versions. It is distributed via compromised websites – adult video sites, but also via social media. Under the pretense of safety measures, the websites lure users into downloading a fake Adobe Flash Player update,” Stefanko said.
Following installation, the malware shows more deceptive screens to its victims, to trick them into granting it special permissions in the Android accessibility menu.
The Trojan displays a fake screen informing the victim of “too much consumption of energy” and urging “Saving Battery” mode is now in play. This message continues to display until the user agrees to enable the service.
At this point, the malware takes the victim to the Android Accessibility menu, which displays a list of services with accessibility functions, including a new service the malware has created during the installation process, called “Saving battery.”
When the user enables it, it requests permissions to monitor actions, retrieve window content, and turn on explore by touch.
As soon as the service has been enabled, the fake Flash Player icon ends up hidden from the user, although the malware runs in the background. It contacts the command and control (C&C) server to deliver information about the infected device and receive a link to a malicious app to download.
After receiving the link, the malware displays a lockscreen the user can’t dismiss, which hides the carnage the attacker is conducting. Because it has the permission to mimic the user’s clicks, the Trojan can now “download, install, execute and activate device administrator rights for additional malware without the user’s consent, all while remaining unseen under the fake lock screen,” Stefanko said.
To remove the malicious program, users should head to Settings -> Application Manager and try to manually uninstall it. However, should the malware have Device admin rights enabled (it requests those as well in some cases), users should head to Settings -> Security -> Flash-Player and deactivate those first.
Uninstalling the downloader, however, might prove only a partial solution, as the malware fetched and installed by the threat would remain on the infected device. Victims should install a mobile security application to perform a full cleanup.