Agent.Jl is an Android Trojan found in a malicious application imitating Adobe Flash Player. It tricks users into granting special permissions and then downloads and executes additional malware onto the victim device. The Trojan targets Android devices, including those running versions released in early 2017. Agent.Jl is distributed via compromised websites, such as adult video and social media sites. The websites advise the user to download a fake Adobe Flash Player update. If the victim runs the installation, a pop-up is displayed, claiming “too much consumption of energy,” advising the user to turn on a fake “Saving Battery” mode. The message will continue to appear on the victim’s device until they agree to enable the service. The Android Accessibility menu then is displayed with the fake “Saving Battery” service now appearing. Once the service is enabled, it requests extensive permissions that will allow the attacker to mimic the user’s clicks and select anything displayed on the compromised device’s screen. At this point, the Flash Player icon is hidden and the malware contacts their C2 server in the background, providing it with information on the infected device. The C2 server responds with a URL to a malicious app, containing malware ranging from banking malware to ransomware. Once the Trojan has retrieved the malicious link, the device displays a fake “lock screen” with no option to close it – allowing the malicious activity to continue in the background. At his point, the malware can download, install, execute, and activate device administrator rights for additional malware without the user’s consent. Once the malicious activity is complete, the display disappears and the victim can use their infected device again.

To protect against this threat, always download software updates from the company’s official website, always download apps from official app stores, and pay close attention to the permissions requested by apps. It is also recommended to use a mobile security application to protect your device from active threats.

Technical Details

  • ESET researchers provide technical details on the Android Trojan, Agent.Jl, here.
One example of the Agent.Jl variant. Image source: ESET

One example of the Agent.Jl variant. Image source: ESET