If you use an Android device and happen upon an update for Adobe Flash player, you’d best not download it. A new strain of malware posing as an innocuous software upgrade is spreading like wildfire via social media and compromised websites.
It looks legitimate enough to fool, at first. A malicious link directs unwitting users to a download page that instructs you to “upgrade” Adobe Flash, a browser plugin designed to run multimedia games and apps on the web. In truth, it downloads a malicious application called “Android/TrojanDownloader.Agent.Jl”.
A second message, which appears after several seconds has elapsed, falsely warns users that their device’s battery-saving mode has been disabled, and prompts them to toggle a switch to enable it again. Users who do so are redirected to the Android Accessibility settings page, where the malware overlays a fake “Saving Battery” option.
If the fake option is toggled, the malware’s effectively granted permission to monitor actions, retrieve window content, and turn on device features at will. It will contact a remote server, sending the compromised device’s details and initiating the download of more apps, adware, and even spyware.
The damage can be difficult to undo. A false device lock screen prevents users from uninstalling the app. And even if it’s bypassed, removing the trojan from the Settings menu doesn’t remove any apps it installed surreptitiously.
Lukas Stefanko, an ESET malware researcher, told Neowin the best way to remove the trojan is to use a mobile security solution.
The best way to protect yourself is to avoid downloading and installing suspicious files from the internet. The malware’s references to Flash Player should be a tip off, too — Adobe discontinued support for the plugin on Android as a result of stability and security concerns.
The malware’s far from the first of its kind. “Gooligan,” an app which which can steal your Gmail account and authentication information, install apps from the Google Play store, rate them without consent, and install adware, infected more than one million devices last year. Another, “Humingbad,” which fraudulently injects third-party ads into applications, was detected on as many as ten million devices in July 2016.
Luckily, Google’s taking charge. At the recent RSA security conference in San Francisco on Wednesday, the search giant announced that Verify Apps, an Android security feature which automatically scans devices for viruses and malware, checked more than 750 million Android devices each day last year. And Google said it’s working with 351 wireless carriers to improve the time it takes to test security patches before deploying them to users.