Security researchers have found a new form of malware which is targeting Android devices, posing as a Flash update that needs to be installed as soon as possible. According to experts, the fake update includes a form of malware known as "Invisible Man" officially flagged as Andr/Banker-GUA. It is based on a Svpeng malware which was first detected in 2015. As the name suggests, Invisible Man malware runs silently on infected devices unknown to the user.
This malware manages to put an invisible overlay over legitimate internet banking apps installed on a device. It basically acts as a keylogger, picking up the victims login details as they access their banking account. Hence, the main aim is to attack SMS based banking and to steal user's credentials via phishing overlays.
The Malware was first discovered by researchers at the Kaspersky lab. Its malicious techniques can work even on fully updated devices with the latest Android version and all security updates installed. By accessing only one system feature the malware can gain all additional rights and steal lots of data. The malware has been detected in about 23 countries, with users reporting infections in The United Kingdom, Australia , Poland , Turkey , Singapore and elsewhere.
HOW IT WORKS
The Malware is usually disguised as a fake Flash Player download and users are lured into downloading the malicious program as .apk file from certain websites. Once downloaded, the malware first checks the phones language setting. Quite surprisingly the malware operation was found to abort if the default phone language is Russian. This might provide a useful indication to the origin of the malware. Any other language will prompt the malware to ask for permission to use accessibility services.
If granted access to accessibility services, Invisible Man can start carrying out its attack, which includes creating an invisible overlay atop a user's keyboard that allows the malicious software to record keystrokes entered by the user.
The Malware will then install a new SMS app replacing the default one, allowing it to intercept the victim's communication. This also allows the hackers to gain access to the high security passwords send by banks to the victims phone for bank transactions.
Invisible man can also trick users into providing their credit card information. When a user opens Google Play Store, an overlay app shows up asking for the users credit card information. This information can be accessed by the hacker if the user tries to enter their credit card details unknowingly.
The Invisible Man malware is capable of preventing users from removing administrative rights from this malicious app. This feature allows protecting itself from the removal. It can also prevent users from adding or removing administrator rights for other apps. Therefore once Invisible Man has gained access, it will be difficult to remove it. Therefore prevention is the best method in this case.
The best preventive method would be to set your phone language to Russian as the malware neglects it. However it is not practical to do so. Android users must avoid downloading flash player or their updates on their phone because the Flash player has long been a conduit for malicious activities. If necessary, user's should download Flash Player by following Adobe's instruction for manually installing it on Android.
Users should remain vigilant in providing permission to certain apps. They should also try to prevent installation from unknown sources. By blocking the install of malicious apps, even if they come from google play store can prevent users from such attacks.