Security updates are supposed to protect you from software flaws that can put you in danger. We get these update notices periodically and we are always advised to install (legitimate) patches as soon as we can. This practice can preempt software attacks that tend to exploit newly discovered bugs and weaknesses within a system.
But before you click on every update prompt coming your way, what if the update itself is malware in disguise?
Security researchers from ESET have discovered a new Android trojan that masquerades as an Adobe Flash Player security update. Instead of squashing bugs, this treacherous kit is actually a gateway for even more nasty malware.
The trojan application, nicknamed Android/TrojanDownloader.Agent.JI, is said to target all versions of Android. By pretending to be an important Flash update, it tries to trick potential victims into granting it special administrative permissions to download and install additional malware of its master’s choosing.
This “supplementary” malware could be anything – ransomware or spyware, but currently, ESET found that the trojan is being used to download and install banking malware used for stealing data.
ESET warns that this fake Adobe Flash Player update is lurking within compromised websites of the adult variety and on social media sites.
How it operates
Once the fake Flash update is downloaded and installed, a phony “TOO MUCH CONSUMPTION OF ENERGY” warning screen appears and advises the victim to turn on “Saving Battery.”
Similar to how other Android malware variants operate, unless the victim turns “Saving Battery” on, the warning screen will keep appearing. Once the victim gives in, a new “Saving Battery” service is added to the Android Accessibility Menu.
This service then asks for three special permissions – “Monitor your actions,” “Retrieve window content” and “Turn on Explore by Touch” – these permissions allow the malware to mimic user clicks and select anything displayed on the screen, actions used for downloading additional malware.
Once all these permissions are granted and the service is enabled, the phony Flash Player icon disappears but unbeknownst to the victim, the malware is contacting the attacker’s Command and Control server, supplying it with the compromised gadget’s information.
Once contact is established, the server can push and install any malware of the attacker’s choosing. This activity is hidden from view by a fake “installed battery saving driver” lock screen.
Using its ability to mimic user clicks, the malware can now download, install, execute and grant administrator rights to the additional malware while hiding beneath the fake lock screen. Once the new malware is installed, the lock screen overlay “opens up” and it finally relinquishes control to the user. Pretty clever.
To check if your Android gadget is infected, check for the “Saving Battery” service in the Accessibility menu. If you have this service, then your gadget is infected.
ESET warns that denying this service its permissions will only reactivate its first “TOO MUCH CONSUMPTION OF ENERGY!” screen.
To purge Android/TrojanDownloader.Agent.JI from your system, try manually changing it in Settings >> Application Manager >> Flash-Player. The trojan may have also requested device administrator rights upon installation. If this is the case, the fake app can’t be uninstalled unless the administrator rights are revoked under Settings >> Security >> Flash-Player.
Even then, your Android device may have already been infected with additional malware and further action, like threat detection and removal by mobile anti-virus software, may be required.
Prevent trojans infections
As always, to protect yourself against Android malware, the best practice is to avoid downloading and installing apps from “Unknown Sources.” Only download apps from the official Google Play app store and make sure you check user reviews, too, before installing.
Second, be careful with links and websites you visit. Drive-by malware downloads could happen anytime without you knowing it. Don’t grant any system permissions to prompts coming from unknown sources.
And lastly, always be vigilant. As seen with this fake Flash Player update, things are sometimes not what they seem.