Researchers have found another banking trojan concealed in a supposed flashlight app that switches the login pages of several Australian bank apps with a fake login.
The Flashlight LED Widget app from developer MaxUMedia does deliver its promised flashlight functionality, but also tries to steal banking credentials via fake login pages for legitimate banking apps.
This trojan has fake login screens for banking apps by the Commonwealth Bank, NAB, and Westpac, as well as bogus login pages for Facebook, WhatsApp, Instagram, and Google Play. The malware will display the correct fake login after a targeted app is launched.
Google removed the app on April 10 however it had been installed by as many as 5,000 people since it first appeared on Google Play on March 30, according to security firm ESET.
The app was promoted as a free super bright flashlight widget that didn’t contain ads. It was likely created by Russian-speaking hackers since the malware functionality is instructed not to operate if the device is located in Russian, Belarus, or the Ukraine.
Google in the past fortnight pulled two other banking trojans from Google Play after researchers alerted it to the problem. These also targeted a dozen Australian banking brands, as well as brands serving the New Zealand and European markets. The malware also sought payment card data via fake payment pages for Google Play.
ESET researcher Lukas Stefanko believes the flashlight banking trojan is a modified version of a bogus charger app with ransomware functionality that Google took down from Google Play in January. However, it’s also similar to banking malware targeting Turkish bank apps, which Google removed in February.
Stefanko notes that removing the malicious app is a bit tricky but the firm has provided instructions to manually remove it.
Google's malware scans make it the safest place for Android users to download apps from, however its checks fail to detect every potentially harmful application.