Security researchers warn that a new form of malware is targeting Android devices, posing as a Flash update that needs to be installed as soon as possible.
SophosLabs, however, warns not only that this is fake update, but also that it includes a form of malware known as Invisible Man and officially flagged as Andr/Banker-GUA. The new infection is based on a the Svpeng malware that was first detected in 2015, the security firm says.
Interestingly, the malware does not infect users in Russia, so when compromising a device, it first checks the phone language. If the phone is set to Russian, all the other tasks are stopped. If any other language is configured, Invisible Man asks for permission to use accessibility services, which can be further compromised to run malicious code.
Stealing credit card data
If the malware is granted the permission to use accessibility services, it then configures itself as the default SMS app in order to take control of the screen and try to steal credit card information as users provide it in apps, including the Google Play Store.
“Invisible Man uses accessibility services to draw things on your screen above other apps, and to install itself as the default SMS app,” the security firm says.
“That ability to draw something on screen above other apps is used to create invisible overlays that sit above legitimate banking apps. The overlay intercepts keystrokes the victim thinks they’re typing into the app underneath such as usernames and passwords.”
One such attempt to steal financial details taking over the Google Play store, so when users launch the Store to install apps, they are prompted to provide credit card information that is collected and sent to the attackers.