It is unbelievable that almost five years after Adobe announced it would stop developing Flash Player for Android, users are still installing a non-existent piece of software, which in almost all cases is just malware in disguise.
Unfortunately, this is exactly what seems to be happening, and on a regular basis, as malicious apps disguised as Adobe Flash continue to be one of the simplest and most efficient ways to distribute mobile malware, right there next to “dedicated video players for viewing adult movies.”
In the past few years, we’ve seen this basic lure used to trick users into downloading hoards of banking trojans, adware, and RATs on the Android devices of unsuspecting users.
The amount of reports citing a fake Flash Player for Android as the source of a malware infection is staggering. Take it from an infosec reporter like yours truly. There’s one every week.
Android Flash Player lure still efficient even today
The most recent case was discovered this week by ESET security researchers.
The malicious app, disguised as a Flash for Android package, was offered as an automatic download to users landing on the flash-update[.]info website.
According to ESET, users ended up on this site after being redirected from malicious adult sites, and via social media spam. Just like so many times before, they were told they needed an updated Flash Player to view the content of another site.
Users who downloaded and installed this fake Flash app would be infected with a generic “malware downloader,” which would download all sort of different malware on their devices, based on instructions it received from an online command & control server.
More surprisingly is that during the installation process, the app’s purpose changed from Flash Player to a battery saving app, and apparently some users just strolled through all the installation screens, regardless.
Please stop falling for this trick!
Even if it’s mind-boggling that so many Android users haven’t found out by now that there’s no Flash for Android, there’s also another problem here.
The users that are falling for this trick are disregarding their mobile’s security on purpose.
None of these users wouldn’t have been able to install the fake Android Flash app if they didn’t disable a default and built-in Android protection measure, such as the limitation that prevents users from installing apps from outside the Play Store.
Whoever is falling for the Flash for Android app installation trick is most likely careless about all facets of security, not just ignorant to Adobe’s decision to abandon Flash five years ago.
The only way to combat and educate this class of users is to hammer two messages in every article about mobile security that we are ever going to wrote.
Those are not to install Flash for Android (because it doesn’t exist), and to not install apps from outside the Play Store. Nonetheless, we doubt that someone with so little thought for their device’s security is reading these articles anyway. It’s worth a try anyway.