Connect with us

Hi, what are you looking for?


Mobile & Wireless

Trojan Downloader Masquerades as Defunct Flash Player for Android

A recently observed malware downloader targeting Android users is masquerading as an update for Adobe Flash Player, ESET researchers warn.

A recently observed malware downloader targeting Android users is masquerading as an update for Adobe Flash Player, ESET researchers warn.

Although the Flash Player for Android was discontinued nearly half a decade ago, cybercriminals are still abusing it to trick unsuspecting users into downloading and installing their malicious programs. As always, the attackers rely on user’s willingness to download and install a fake update when prompted to do so via a well-designed, legitimate-looking update screen.

Dubbed Android/TrojanDownloader.Agent.JI, the newly discovered threat uses this technique to infect the devices of users navigating social media or adult sites. Following installation, the malware presents more deceptive screens to its victims, to trick them into granting it special permissions in the Android accessibility menu, which then allow it to download and execute additional malware.

For that, the Trojan displays a fake screen informing the victim of “too much consumption of energy” and urging that a “Saving Battery” mode is enabled. As most malware, this downloader won’t take no for an answer and would continue to display the message until the user agrees to enable the service.

At this point, the malware takes the victim to the Android Accessibility menu, which displays a list of services with accessibility functions, including a new service that the malware has created during the installation process, called “Saving battery.” When the user enables it, it requests permissions to monitor actions, retrieve window content, and turn on explore by touch.

As soon as the service has been enabled, the fake Flash Player icon is hidden from the user, although the malware runs in the background. It contacts the command and control (C&C) server to deliver information about the infected device and receive a link to a malicious app to download (which could be banking malware, ransomware, adware, or spyware).

After receiving the link, the malware displays a bogus lockscreen that the user can’t dismiss, in an attempt to mask the nefarious activities it is engaged in. Because it has the permission to mimic the user’s clicks, the Trojan can now “download, install, execute and activate device administrator rights for additional malware without the user’s consent, all while remaining unseen under the fake lock screen,” ESET explains.

Advertisement. Scroll to continue reading.

To remove the malicious program, users should head to Settings -> Application Manager and try to manually uninstall it. However, should the malware have Device admin rights enabled (it requests those as well in some cases), users should head to Settings -> Security -> Flash-Player and deactivate those first.

Uninstalling the downloader, however, might prove only a partial solution, as the malware fetched and installed by the threat would remain on the infected device. Victims should install a mobile security application to perform a full cleanup.

To stay protected, users are advised to avoid installing applications from third-party, untrusted websites, but use only legitimate app stores, such as Google Play, instead. Users should also pay close attention to the permissions newly installed programs request, as those that don’t seem appropriate for the software’s functions might be a giveaway of malicious intent.

Related: Android Trojan Posing as Flash Player Targets Banking Apps

Related: Gugi Banking Trojan Can Bypass Android 6 Protection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.