SECURITY experts have identified a seemingly helpful Android app on the Google Play store that can mimic Australian banking apps to steal banking details and send them to Russian hackers.
Eset malware researcher Lukas Stefanko discovered the app Flashlight LED Widget was a malicious trojan that 5000 people downloaded the app before it was pulled from the Google Play.
“We’ve seen fake screens for Commbank, NAB and Westpac Mobile Banking, but also for Facebook, WhatsApp, Instagram and Google Play,” he said in the blog post on the dangerous app.
Mr Stefanko said this app was a greater threat than most malware because it was able to dynamically change depending on the apps on the infected phones.
“The trojan can display fake screens mimicking legitimate apps, lock infected devices to hide fraudulent activity and intercept SMS and display fake notifications in order to bypass two-factor authentication,” he said.
“The malware can affect all versions of Android. Because of its dynamic nature, there might be no limit to targeted apps — the malware obtains HTML code based on apps installed on the victim’s device and uses the code to overlay the apps with fake screens after they’re launched.”
The first time the app launches on a phone, it takes a photo of the phone’s owner and identifies their location. If the person is in Russia, the Ukraine or Belarus, the app deactivates which Mr Stefanko said was presumably to avoid prosecution in the hacker’s home country.
When the user launches their banking app, the trojan creates a fake version which captures the person’s credit card or banking details and sends them back to the Russian server.
Android phone users who have downloaded the app should immediately delete it.
Mr Stefanko said to delete this app, which is designed to block moves to remove it, people will need to boot their phone in safe mode.