Security researchers at Sophos have discovered new malware that aims to steal Android users' banking information. Named Invisible Man, the malware is a variant of Svpeng which was most popular during the 2013-14 period.
The malware pretends to be a Flash Player update and then exploits accessibility services for malicious purposes. Before doing so, however, Invisible Man checks the device's language settings. Interestingly, if the phone is set to Russian, the malware will stop and the handset will not be infected. However, if the device is using any other language, the malware will continue as normal.
Invisible Man uses accessibility services to draw things on screen as well as use itself as the main messaging application. Sophos explains that the "ability to draw something on screen above other apps is used to create invisible overlays that sit above legitimate banking apps. The overlay intercepts keystrokes the victim thinks they’re typing into the app underneath such as usernames and passwords." For example, when users open the Google Play Store, a popup is display on-screen and requests that users enter their card information.
Recommendation: Adobe Flash Player should be avoided, if possible, as it is a source of a large number of vulnerabilities. If Flash is required, the instructions on Adobe's website should be followed closely to avoid downloading malicious programs. Users should also look out for what permissions are requested by applications. This will give a good indication of whether the program could be harmful.