Charger.B, believed to be a modified version of Android/Charger, is an Android trojan embedded in a Flashlight widget application that was available on the Google Play Store between March 30, 2017 and April 10, 2017, when it was removed. Once the app launches, it requests device administrator rights and, once granted, the app hides its icon, only appearing as the widget. It registers the infected device to the attackers’ C2 server, sending device information, a list of installed applications, and attaches a picture of the device owner taken by the front camera. If the information collected indicates the victim is located in Russia, Ukraine, or Belarus, the C2 will send the command to stop the malware activity. Based on the apps found on the targeted device, once the app is downloaded, the trojan runs and will attempt to retrieve victims’ credentials when the user opens a certain app, such as a mobile banking or social media app. Malicious HTML code runs in WebView and overlays a fake login page on top of the legitimate app. The credentials are then sent unencrypted to the attackers’ C2 server. The malware communicates with the C2 server using Firebase Cloud Messages (FCM), the first time this channel has been used by an Android malware. Based on commands from its C2 server, this malware can also lock infected devices to hide fraudulent activity, and intercept SMS and display fake notifications to bypass two-factor authentication. It is difficult to uninstall the app as it does not allow the victim to turn off the active device administrator. Victims will have to boot their device in Safe mode to uninstall and remove the malicious app.


Technical Details

  • Enterprise Innovation provides technical analysis of Trojan.Android/Charger.B here.
  • ESET researchers provide additional analysis here.
  • Check Point researches provide additional analysis here.