Friday, May 9, 2025
HomeMalwareBanking malware with screen locking capabilities targeting all versions of Android

Banking malware with screen locking capabilities targeting all versions of Android

Published on

SIEM as a Service

Follow Us on Google News

Android clients were the goal of another banking malware with screen locking abilities, taking on the appearance of a flashlight application on Google Play.

Dissimilar to other banking trojans with a static arrangement of targeted banking applications, this trojan can progressively change its usefulness.

The trojan, detected by ESET as Trojan.Android/Charger.B, was added to Google Play on March 30.

- Advertisement - Google News
Banking malware with screen locking capabilities targeting all versions of Android
The malware can influence all versions of Android. As a result of its dynamic nature, there may be no restriction to targeted applications.It was installed by up to 5,000 clueless clients before being pulled from the store on ESET’s notice on April 10.

How does it work?

Besides conveying guaranteed flashlight function, the remotely controlled trojan accompanies an assortment of extra capacities used for stealing victims Banking credentials.

Once the app is installed and launched, it requests device administrator rights.Once the permissions provide application hides and will be available only with the Widget.

Based on commands from C&C server, the trojan can show fake screens mirroring true applications, lock contaminated device to hide away false action and capture SMS and show fake notices with a specific end goal to sidestep two-factor Authentication.

The actual payload is encrypted in the assets of the APK file installed from Google Play, evading detection of its malicious functionality. The payload is dropped, decrypted and executed when the victim runs the app. ESET Says

On the off chance that the sent data demonstrates the gadget is situated in Russia, Ukraine or Belarus, the C&C charges the malware to stop its action – most probably to avoid litigation of the attacks in their nations of origin.

Banking malware with screen locking capabilities targeting all versions of Android
Source @ ESET

Based on our ESET researchers, the app is a modified version of Android/Charger, first discovered by Check Point researchers in January 2017.

Malware communicates with C&C through Firebase Cloud Messages(FCM) communication channel.

Banking malware with screen locking capabilities targeting all versions of Android
                             Source @ ESET

How to clean from Infected device

This Malicious app can be found in Application Manager. It can be located easily but hard to remove as it doesn’t allow victims turn off the active device administrator

Setting > Application Manager/Apps > Flashlight Widget.

If this case you can remove the app by booting the device in safe mode. Check out the video by Eset with instruction in removing the app.

Sample: com.flashscary.widget CA04233F2D896A59B718E19B13E3510017420A6D Android/Charger.B

Common Defences 

  • To stay secure use a reputable mobile security solution to detect and remove the threats.
  • Do download apps only from the official market.
  • Before downloading, check for the number of installs, ratings and, most importantly, the content of reviews.

Also Read

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual...

Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...

Malicious Python Package Impersonates Discord Developers to Deploy Remote Commands

A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI)...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By...

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

The Google Threat Intelligence Group (GTIG) has uncovered a sophisticated new malware dubbed LOSTKEYS,...

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...