A video published Thursday by security researcher Lukas Stefanko exposed a malicious app hosted on the Google Play store that distributes malware onto unsuspecting user’s mobile devices.
Harvesting Your Passwords
The app, called Easy Rates Converter, markets itself as a currency conversion tool. In reality, it infects devices with malware designed to harvest their login credentials to legitimate crypto and fiat banking applications.
According to Hard Fork, among the apps targeted were Binance’s official app, CommBank, and Google Play. At the time Stefanko published his video, the app had over 500 downloads. The developer name on the app is listed as ‘hitech_soft.’
According to Stefanko, once the app is downloaded, it deploys malware that infects the host device through a fake Adobe Flash update. On the surface, the malicious app still functions as a currency converter. Once downloaded and activated, it retrieves the malware via the user’s internet connection and deploys it.
After infected, the malware program waits for the user to open a targeted banking app, then overlays the screen with one designed to look exactly like the login screen of the actual app and prompts the user to enter their login information. When entered, the credentials are stored on a server.
When running, the infiltrating app can be seen on an Android device when the user toggles through the apps they have open. However, even knowing the app was there, when Stefanko tried to tap back into a legitimate app on his phone, the malware overlaid itself on his screen again.
Keeping an Eye Out
A search through the Google Play store showed the app has been taken down since becoming the subject of Stefanko’s video, in which he also explains how to remove the malware once found on a device.
This isn’t the only way hackers are using Adobe Flash updates to install malware on user’s computers. Early in October, security researchers at Palo Alto Networks discovered a spike in fake Flash installers being used to infect computers with crypto mining malware. The update did installed Flash on host computers, but at the same time infected them with software that mined Monero.
Stefanko works as a researcher for security company ESET.