A new mobile malware threat has been discovered – Invisible Man Malware – that is being installed via fake software updates. Invisible Man malware is a keylogger that has been designed to obtain banking credentials. While the malware is not new – it has been around for four years – it is frequently updated, with a new variant discovered that takes advantage of the accessibility services on Android devices.
As the name suggests, Invisible Man malware runs silently on infected devices unbeknown to the user. The malware is an overlay that sits atop of legitimate banking apps and intercepts inputs as they are entered on the device. It also allows the attackers behind the malware to intercept text messages, in particular, those used for two-factor authentication and codes sent by banks to authorize transactions.
Once installed on a device it has administrator rights to all Android accessibility services, is installed as the default SMS app and has rights to send and receive SMS messages, make calls, and access contacts on the phone. It can also take screenshots and prevents itself from being uninstalled, according to Kaspersky Lab.
Invisible Man malware has been developed for attacks in Australia, France, Germany, Poland, Singapore, Turkey and the UK, working as a keylogger over 63 banking apps. All data collected is immediately transferred to its C2 server.
Kaspersky Lab reports that Invisible Man malware is primarily being installed on devices using fake software updates, specifically fake Flash Player updates on malicious websites via a downloaded apk file.
Beware of Fake Software Updates
The latest attacks highlight an important point. If you receive a warning on screen telling you that your software is out of date, don’t click and download the update. In this case, the user will be asked to confirm installation, and will be required to provide this app with administrator rights to accessibility services.
Fake software updates are one of the most common methods used to distribute malware, bloatware, adware, ransomware and other nasties.
Given the frequency of software updates now being released to address recently found vulnerabilities, your software may actually be out of date. However, you should visit the vendor’s website and perform a check to see if you have the latest version installed. If not, download the update directly from the vendors website.
Fake software updates are usually offered via popups – Windows that appear when you access a website. They commonly feature flashing Gifs and stern warnings of the risks of not updating your software immediately. Warnings that your computer has already been infected with malware are also common.
Warnings do not only appear when surfing the Internet, spammers use the same tactics via email. The emails often contain the correct logos, color schemes and branding as the legitimate software vendor and look highly realistic.
However, you should not trust any email asking for you to download an executable, part with login credentials or provide other sensitive information, even if it is sent from someone you know.