This Android Trojan pretends to be Flash security update but downloads additional malware

Malware tricks users into opening Android Accessibility menu, enabling the attacker to mimic users' clicks and select anything displayed on their screen.
Written by Danny Palmer, Senior Writer

The Android Trojan can mimic the user's clicks and actions.

Image: iStock

A new form of Trojan malware targeting Android smartphones is duping victims into downloading a fake security update for Adobe Flash Player, which then makes them even more susceptible to malicious software.

The malware is ultimately designed to monitor the users' activity for the purposes of stealing data, mimicking their actions in order to generate funds from fraudulent adware installations, and enabling the installation of various other types of malware -- including ransomware.

Detected by researchers at security company ESET, the Trojan malware targets all versions of Google's mobile operating system and aims to trick victims into granting it special permissions which it uses to download additional malware.

Distributed via social media and compromised websites -- usually of the adult variety -- Android/TrojanDownloader.Agent.JI uses a legitimate-looking update screen that claims the user needs to download an Adobe Flash patch in order ensure their device is safe from cyberattacks.

If the victim falls for it, a new screen pops up, claiming the device is consuming too much energy and the user must activate a new Saving Battery mode.

The malicious pop-up lies about the regular battery saver option no longer working, and will keep appearing until the user opts to turn on the new mode.


The fake Flash update (left) and fake battery saver (right) screens.

Image: ESET

Once the victim allows this mode to turn on, their Android Accessibility menu is opened, featuring a list of legitimate services with accessibility functions as well as newly created one by the malware, once again named Saving Battery.

This new malicious function requests permissions to monitor the user's actions, retrieve content, and turn on Explore by Touch -- all of which are required for the cyberattackers to carry out their plans to mimic the user's clicks and select anything displayed on the screen. Both activities are used to download additional malware.

Once this service is enabled, the fake Flash Player will hide from the user, but in the background it is contacting its command-and-control server and providing the cyberattackers with information about the hacked device.

Once contact has been made, the server will send further malicious apps to download onto the device, ranging from adware and spyware to ransomware. When installing the new malware, the hacked device will display a fake lockscreen with no option of closing it in order to ensure the ongoing malicious activity isn't compromised.

By hiding on-screen activity from the user, the malware is able to exploit permission to mimic the user's clicks and download additional malicious software, all while remaining unseen. The screen disappears once the malware is done and the user is free to continue using their device -- which will now be being spied on by hackers.

"In cases we investigated, this Trojan was built to download another Trojan designed for siphoning off funds from bank accounts. However, it would take only a small change in the code for the user to get served with spyware or ransomware," says Lukáš Štefanko, the ESET malware researcher who led the analysis of Android/TrojanDownloader.Agent.JI.

The best way for Android users to avoid becoming victims of this threat is by sticking to trusted websites and being careful where they browse.

Users should also check where any suggested update is coming from and like in this case, it isn't from the official Adobe website, so they should be wary of sources for downloads. Users should also be wary of apps which appear to ask for many more permissions then they might need.

For those who've already fallen victim to this malware, they can attempt to remove the malware by manually uninstalling the 'Flash-Player' app from their phone.

However, more work may need to be done to completely remove malicious software from the device.

"Unfortunately, uninstalling the downloader doesn't remove malicious apps the downloader might have installed. As with the downloader itself, the best way for cleaning up the device is using a mobile security solution," says Štefanko.

Read more on cybercrime

Editorial standards