The recent malware danger: the multifunctional Android trojan

A recent version of Android Trojan (also called as Android.Banker.L) has much in common with banking Trojans, keyloggers and ransomware. The goal is also the same: to take root into victim computers and steal their sensitive information.

Quick Heal investigated that this malware product practices several techniques at the same time to affect user devices. Besides a well-known Android banking Trojan, this malware includes a code that allows it to divert calls, record various sounds, perform keylogger and ransomware attacks. Moreover, it also can launch browser on your device, using a URL sent by command-and-control (C&C) server that is connected with Twitter.

After installation Android.Banker.L opens the Accessibility Settings page over and over again, until the user switches over Accessibility Service. After this, the user input isn’t necessary for this malware to make use of any device permission.

Why Is It So Difficult to Detect This Malware?

Quick Heal also stressed that the main Android application package of the mentioned-above code is rather sophisticated, with all strings being encrypted. To encrypt all files of a certain device, it just renames them and delete the authentic documents.

This malicious threat uses financial phishing overlays that appear once specific applications are run. These overlays are similar to authentic ones and users feel reassured when enter their login information.

The malware is able to prevent the user’s attempts to detect it, for instance, appearance of a fake warning message containing information about incorrect functioning of the system and asking users for disabling Google Play Protect. One more example is a warning message for “error 495” in the case of the app uninstallation attempts.