Flashlight Apps Snuck Malware Into Google's Play Store, Targeting Bank Accounts

Photo: Getty
Photo: Getty

Active on Google Play Store as recently as last Friday, a mobile banking trojan infected thousands of users who thought they downloading games or innocent-looking apps, according to research published by a trio of cybersecurity firms.

Advertisement

The malware, known as BankBot, was concealed inside various flashlight and Solitaire apps, and was first detected by researchers on October 13th. After downloading an infected app, the trojan would activate and wait for users to log in to pre-selected banking apps, including those of Wells Fargo, Chase, CitiBank, and DiBa (ING). In some cases, bank transaction authentication numbers (TANs)—a form of multi-factor authentication employed by some banks—were intercepted in text messages.

Research into BankBot’s latest capabilities was conducted by employees at Czech cybersecurity firms Avast and ESET, and the Amsterdam-based SfyLabs, which focuses on Android-specific threats.

Advertisement

Although Play Protect scans the apps uploaded to Google’s app store against known malicious software, BankBot circumvented this defense by hosting its payload on a command & control server. After users downloaded one of the infected apps, such as “Tornado Flashlight,” the malware waited for two hours before downloading the payload. Phones that were not set to automatically accept files from unknown sources were prompted to accept the installation, Avast said.

A few of the flashlight apps hosting BankBot (Avast)
A few of the flashlight apps hosting BankBot (Avast)

The Android apps containing the malware were disguised to mislead users into believing it was a Google Play or system update requesting administrative privileges.

From there, BankBot quietly waited for users to log in to one of the aforementioned banking apps. Once the banking credentials were entered, they were immediately shared with the criminals who launched the malware campaign.

Advertisement

Certain banking apps send users security codes via text messages, which they have to enter into the app before accessing their accounts; however, this BankBot variant included a function that allowed it to intercept the texts and forward the codes to the attackers as well.

According to Avast, in addition to the US, BankBot struck users in Australia, Germany, the Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, Russia, the Dominican Republic, Singapore, and the Philippines.

Advertisement

“The malware is not active in the Ukraine, Belarus and Russia,” Avast’s researchers wrote. “This is most likely to protect the cyber criminals from receiving unwanted attention from law enforcement authorities in these countries.”

There are several steps users can take in the future to avoid having their bank accounts emptied, chiefly among them: Make sure your phone only allows downloads from trusted sources. At least then you can vet untrusted apps on a case-by-case basis. (Check under “security” in your phone’s settings.)

Advertisement

I can’t recommend enough just not downloading flashlight apps. They have a terrible reputation for hosting malware and it doesn’t seem like that’s changing anytime soon. Just buy a flashlight. This one is $21 and it’ll even charge your now hopefully malware-free phone.

[Avast]

Advertisement

Senior Reporter, Privacy & Security

Share This Story

Get our newsletter

DISCUSSION

matt975321
matt975321

Once again an Android vulnerability is the result of people changing default security settings to install apps from outside the app store. Without the change in setting the payload from an external source would not be able to be installed, so even if you installed the flashlight app you would have been fine. Moral of the story... Android is secure, rather it is users who decide to sideload apps and think they are capable of managing their own security that are the problem. Yeah, perhaps Google should have caught this, but it only mattered if you went ahead and decided to expose your phone to risk.