New Android Trojan masquerades as flash player update to install malware

Security researchers have uncovered a new Trojan malware targeting Android smartphone users. The malware poses as a fake Adobe Flash Player app and tricks victims into granting it "special permissions" within the Android accessibility menu, which it then leverages to download and install additional malware and even potential ransomware.

The Trojan targets all versions of the Android mobile OS and is designed to track and mimic victims' activities to steal data. Security researchers uncovered that the malware is distributed through compromised websites, including adult video sites and even social media.

According to security researchers at ESET, the malware uses "legitimate-looking" update screens, which urge victims to download an Adobe Flash patch under the guise of security measures. Once victims fall for this, the malware keeps flooding them with additional pop ups claiming "too much consumption of energy" and urging victims to activate a fake "Saving Battery" mode.

"Like most malicious pop ups, the message won't stop appearing until the victim gives in and agrees to enable the service," ESET researchers noted. Researchers also added that the malware contacts its C&C (command and control) servers in the background to provide it information about the compromised devices.

Researchers said, "The server responds with a URL leading to a malicious app of the cybercriminal's choice – in the detected case, banking malware (though it could be any malware ranging from adware through spyware, and on to ransomware). After acquiring the malicious link, the compromised device displays a bogus lock screen with no option to close it, covering the ongoing malicious activity beneath it."

The malware cannot only hide its malicious activities, but is also able to exploit permissions to mimic victims' clicks and download additional malware, all the while remaining undetected. Once the bogus lock screen disappears, which is after the malware completes its malicious activities, victims are free to use their compromised devices, which are now constantly being spied on by hackers.

"In cases we investigated, this Trojan was built to download another Trojan designed for siphoning off funds from bank accounts. However, it would take only a small change in the code for the user to get served with spyware or ransomware," says Lukáš Štefanko, the ESET malware researcher who led the analysis of Android/TrojanDownloader.Agent.JI, ZDNet reported.

Android smartphone users are advised to only download apps from legitimate sites and proceed with caution when browsing online. Users should also remain wary of any updates suggested from non-legitimate sites and apps that request more permissions than usually required.

Those already infected by this malware can attempt to manually remove it by uninstalling the malicious Flash Player app from their devices.

"Unfortunately, uninstalling the downloader doesn't remove malicious apps the downloader might have installed. As with the downloader itself, the best way for cleaning up the device is using a mobile security solution," says Štefanko.