Android/Spy.Agent.SI may look like a spying tool or something, and yes, it’s close enough. It is actually a new Android trojan that targets Android users to steal their Google and bank account credentials. ESET security researchers have said that this trojan is being distributed through websites that have got “Flash Player for Android” ads on them.
In case you did not find the ads suspicious, you should know that Adobe does not develop Flash client for Android anymore since 2012. So it is obvious that these ads are tricking users into downloading a dangerous APK on their device. After the trojan has been installed, it asks for admin rights. And if admin rights are given to it, it is extremely difficult to remove.
The trojan collects the device information first and sends it to a C&C server. After establishing a connection between the C&C and the infected device, the server sends the trojan a list of all the apps that it has to inject fake login pages into. These pages are overlaid over the original app, and users are then tricked into filling in the login info, which is then sent to the C&C server.
What’s more dangerous is that this trojan does not send the stolen credentials after encrypting them. The Google and banking credentials are sent in plain text, thus giving other hackers opportunities easily steal these credentials too. ESET claims that the trojan has targeted financial apps for banks in Turkey, New Zealand, and Australia as of now.
Android/Spy.Agent.SI can also intercept SMS messages if the spoofed app gets 2FA authentication process. ESET has provided the steps for uninstalling the trojan. So remember never to download Flash Player for Android; it does not exist anymore and you would be risking yourself to a dangerous data-stealing trojan.