Android.Banker.L is the newest combination malware. It has the capability of keylogging, ransomware, and functions as a banking Trojan that compromises and steals data.
This malware is really sneaky. On top of being able to do banking Trojan routines, it has the capability to enable call forwarding, audio recording, keylogging and push its ransomware.It’s also able to launch device browsers with a URL received from its command-and-control (C&C) server, which is contacted via Twitter.
If this gets installed on your device, it repeatedly opens the accessibility settings page and asks users to turn on accessibility service which allows it to leverage any device permission without the need for user input.
The malware’s android APK is “highly obfuscated and all strings are encrypted.” In the event it receives the command to encrypt all files on the device, it renames and deletes the originals.
Phishing is employed using overlays that are displayed after some specific applications are launched. The overlays look legitimate which can easily fool users to provide their login credentials.
In the event users think that their device have been infected, it employs preventive steps to avoid being deleted. For example, it displays a fake alert message warning that the “system does not work correctly”. It also displays a message encouraging users to disable Google Play Protect. In some cases, it displays a fake system alert “error 495” if it is being uninstalled which is listed as “sistemguncelle.”
Always a word of caution, android users be careful of the applications you install on your device and avoid installing unverified APK’s.