Android clients were the goal of another banking malware with screen locking abilities, taking on the appearance of a flashlight application on Google Play.
Dissimilar to other banking trojans with a static arrangement of targeted banking applications, this trojan can progressively change its usefulness.
The trojan, detected by ESET as Trojan.Android/Charger.B, was added to Google Play on March 30.
Besides conveying guaranteed flashlight function, the remotely controlled trojan accompanies an assortment of extra capacities used for stealing victims Banking credentials.
Once the app is installed and launched, it requests device administrator rights.Once the permissions provide application hides and will be available only with the Widget.
Based on commands from C&C server, the trojan can show fake screens mirroring true applications, lock contaminated device to hide away false action and capture SMS and show fake notices with a specific end goal to sidestep two-factor Authentication.
The actual payload is encrypted in the assets of the APK file installed from Google Play, evading detection of its malicious functionality. The payload is dropped, decrypted and executed when the victim runs the app. ESET SaysOn the off chance that the sent data demonstrates the gadget is situated in Russia, Ukraine or Belarus, the C&C charges the malware to stop its action – most probably to avoid litigation of the attacks in their nations of origin.
Based on our ESET researchers, the app is a modified version of Android/Charger, first discovered by Check Point researchers in January 2017.
Malware communicates with C&C through Firebase Cloud Messages(FCM) communication channel.
This Malicious app can be found in Application Manager. It can be located easily but hard to remove as it doesn’t allow victims turn off the active device administrator
Setting > Application Manager/Apps > Flashlight Widget.
If this case you can remove the app by booting the device in safe mode. Check out the video by Eset with instruction in removing the app.
Silent Push researchers have identified that the notorious hacker collective Scattered Spider, also known as…
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual Composer…
Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By…
Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona, which…
A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI) under…
An advanced supply chain attack has targeted the well-known npm package rand-user-agent, which receives about…