A seemingly innocuous app that allows a smartphone camera flash to be used as a torch has been discovered to contain a malicious Trojan that can do everything from steal banking credentials to intercept text messages and capture images of the user’s face.
Eset security researcher Lukas Stefanko published the findings on a company blog overnight, saying the app, named Flashlight LED Widget, can show up fake screens mimicking legitimate banking apps in order to dupe the user into giving up their username and password. The app can also intercept text messages in order to get around two-factor authentication.
“The malware can affect all versions of Android. Because of its dynamic nature, there might be no limit to targeted apps – the malware obtains HTML code based on apps installed on the victim’s device and uses the code to overlay the apps with fake screens after they’re launched.”
Smartphone apps from Australian banks had already been impersonated by the malware, labelled Trojan.Android/Charger.B.
“We’ve seen fake screens for Commbank, NAB and Westpac Mobile Banking, but also for Facebook, WhatsApp, Instagram and Google Play,” said Stefanko.
Stefanko said that if the app sent personal information that indicated the smartphone was located in Russia, Ukraine or Belarus, a central server stopped the malware from doing any further damage, in a measure likely implemented to “avoid prosecution of the attackers in their home countries”.
As well as stealing information, the malware also perversely takes a picture of the smartphone owner using the front “selfie” camera and sends it to its central server. The app also locked the phone while it executed nefarious activities, like withdrawing funds out of the banking apps.