A family of malware known as “Invisible Man” abuses Android OS accessibility services in order to steal users’ banking credentials.
Invisible Man, also known as “Svpeng”, has earned quite a reputation for itself in the past few years. It was one of the first trojans to attack SMS-based banking and to steal users’ credentials via phishing overlays. Such novelty garnered attention for the malware among computer criminal circles… as well as Russian law enforcement.
Once again, the threat is up to no good. This time it’s posing as Adobe Flash Player for Android, a well–worn disguise in the digital crime world, on malicious websites. When anyone installs it, the fake app requests the ability to use accessibility services on the now-infected device.
Roman Unuchek, a senior malware analyst at Kaspersky Lab, explains the significance of this appeal:
“Using accessibility services allows the Trojan to get access to the UI of other apps and to steal data from them, such as the names of the interface elements and their content, if it is available. This includes entered text. Furthermore, it takes screenshots every time the user presses a button on the keyboard, and uploads them to the malicious server. It supports not only the standard Android keyboard but also a few third-party keyboards.”
Oh, and did I mention it can also make itself a device administrator without any interaction from the user?
Accessibility services at work, my friends! Technically, these features are primarily designed to help users with disabilities interact with their devices. But that doesn’t stop bad actors from abusing them for nefarious purposes.
Case and point, the bad actors behind this campaign wait until an unsuspecting victim visits a mobile banking site and begins entering in their login credentials. At that point, the malware deploys a phishing overlay over the attacked app using the accessibility services that steals their username and password. Invisible Man can also send, collect, and steal incoming SMS messages, which renders any enabled two-step verification measures useless.
Svpeng doesn’t just target banking sites, however. It also attacks the PayPal and eBay mobile apps, a rewards app, and some Google programs including the Play Store with an overlay designed to steal users’ credit card details.
So far, this attack campaign has struck at least 23 countries, with users reporting infections in Russia, the United Kingdom, Australia, Singapore, and elsewhere.
To protect their devices against Invisible Man, users should not download applications off third-party marketplaces. They should only install programs created by trusted developers and hosted by Google’s Play Store. Additionally, they should use common sense to abandon installs if something seems suspicious. Here’s a perfect example: if an app for no apparent reason requests access to the Android accessibility services, you should cancel the install.
Lastly, please stop trying to add Flash Player to your phones. Android hasn’t used Flash Player officially since 2013. Not even Adobe wants the program anymore. Give it up, for the sake of your device security!
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.