Android users: beware ‘Invisible Man’ malware disguised as Flash

Android users have a new threat to worry about: keylogging malware that masquerades as a bogus Flash update and steals banking data. Needless to say, criminals in possession of your credentials will happily suck your bank accounts dry.

SophosLabs detects the malware as Andr/Banker-GUA and is blocking it from customers. Also known as “Invisible Man,” the malware is a variant of Svpeng whose original authors fell foul of Russia’s Ministry of the Interior in 2015.

The malware starts by checking your phone’s language settings. If the phone is set to Russian, the malware aborts. If it’s anything else then it proceeds to ask permission to use accessibility services.

Accessibility services are there to help users with disabilities but the access they allow can also be used for malicious ends.

Invisible Man uses accessibility services to draw things on your screen above other apps, and to install itself as the default SMS app.

That ability to draw something on screen above other apps is used to create invisible overlays that sit above legitimate banking apps. The overlay intercepts keystrokes the victim thinks they’re typing into the app underneath such as usernames and passwords.

If you try to open Google Play it pops up a credit card details page to hoover up your credit card details:

Defensive measures

For users, the first red flag should be when they receive a Flash Player download. Flash has long been a conduit for malware and has been the butt of endless jabs in the information security community.

Because of Flash’s numerous, well publicised security problems Flash is frequently updated and users have been told over and over that downloading the latest version is an important security precaution.

Malware authors play on this familiarity by dressing up their malicious software as Flash updates.

Android users (OK, all users) are well advised to give Flash a wide berth in any case. If you really, really need it on your phone you should only download the Flash player by following Adobe’s instructions for manually installing Flash on Android.

The second red flag, for users who don’t normally need them, is apps asking for permission to use accessibility services.

As noted above, Sophos detects this malware and blocks it. The continued onslaught of malicious Android apps demonstrates the need to use an Android antivirus such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.