{
	"id": "d48aebeb-8501-4b61-b5a4-4c6c9d561874",
	"created_at": "2026-04-06T00:14:16.36224Z",
	"updated_at": "2026-04-10T13:12:25.750691Z",
	"deleted_at": null,
	"sha1_hash": "9180e8940d343d0335eec635a2328f3fb8615b4f",
	"title": "New Android trojan mimics user clicks to download dangerous malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 391078,
	"plain_text": "New Android trojan mimics user clicks to download dangerous\r\nmalware\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 17:20:46 UTC\r\nESET Research\r\nMobile Security\r\nAndroid users are exposed to a new malicious app imitating Adobe Flash Player and serving as an entrance gate for\r\npotentially any kind of dangerous malware\r\n14 Feb 2017  •  , 4 min. read\r\nAndroid users have been exposed to a new malicious app imitating Adobe Flash Player that serves as a potential\r\nentrance for many types of dangerous malware. The application, detected by ESET security software as\r\nAndroid/TrojanDownloader.Agent.JI, tricks its victims into granting it special permissions in the Android\r\naccessibility menu and uses these to download and execute additional malware of the attackers’ choice.\r\nAccording to our analysis, the trojan targets devices running Android, including the latest versions. It is distributed\r\nvia compromised websites – adult video sites, but also via social media. Under the pretense of safety measures, the\r\nwebsites lure users into downloading a fake Adobe Flash Player update. If victims fall for the legitimate-looking\r\nupdate screen and runs the installation, they have more deceptive screens to look forward to.\r\nhttps://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nPage 1 of 9\n\nFigure 1: Fake Flash Player update screen\r\nHow does it work?\r\nThe next phony screen pops up following successful installation, claiming “too much consumption of energy” and\r\nurging the user to turn on a fake “Saving Battery” mode. Like most malicious pop ups, the message won’t stop\r\nappearing until the victim gives in and agrees to enable the service. This opens the Android Accessibility menu,\r\nshowing a list of services with accessibility functions. Among the legitimate ones, a new service (created by the\r\nmalware during installation) named “Saving battery” appears. The service then requests permissions to Monitor your\r\nactions, Retrieve window content and Turn on Explore by Touch – all crucial for future malicious activity, enabling the\r\nattacker to mimic the user’s clicks and select anything displayed on their screen.\r\nhttps://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nPage 2 of 9\n\nFigure 2: Pop-up screen requesting “Saving Battery” after install\r\nhttps://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nPage 3 of 9\n\nFigure 3: Android Accessibility menu with the malicious service\r\nhttps://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nPage 4 of 9\n\nFigure 3: Android Accessibility menu with the malicious service\r\nOnce the service is enabled, the fake Flash Player icon hides from the user. However, in the background, the malware\r\nis busy contacting its C\u0026C server and providing it with information about the compromised device. The server\r\nresponds with a URL leading to a malicious app of the cybercriminal's choice – in the detected case, banking malware\r\n(though it could be any malware ranging from adware through spyware, and on to ransomware). After acquiring the\r\nmalicious link, the compromised device displays a bogus lock screen with no option to close it, covering the ongoing\r\nmalicious activity beneath it.\r\nhttps://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nPage 5 of 9\n\nFigure 5: Lock screen covering malicious activity\r\nThis is when the permission to mimic the user’s clicks comes in handy – the malware is now free to download, install,\r\nexecute and activate device administrator rights for additional malware without the user’s consent, all while\r\nremaining unseen under the fake lock screen. After the app’s secret shenanigans are done, the overlay screen\r\ndisappears and the user is able to resume using the mobile device – now compromised by the downloaded malware.\r\nHas my device been infected? How do I clean it?\r\nIf you think you might have installed this fake Flash Player update in the past, you can easily verify by checking for\r\n‘Saving Battery’ under Services in the Accessibility menu. If listed under the services, your device may very well be\r\ninfected.\r\nDenying the service its permissions will only bring you back to the first pop up screen and will not get rid of\r\nAndroid/TrojanDownloader.Agent.JI.\r\nTo remove the downloader, try manually uninstalling the app from Settings -\u003e Application Manager -\u003e Flash-Player.\r\nhttps://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nPage 6 of 9\n\nIn some instances, the downloader also requests that the user activate Device administrator rights. If that turns out to\r\nbe the case and you can’t uninstall the app, deactivate the administrator rights by going to Settings -\u003e Security -\u003e\r\nFlash-Player and then proceed with uninstalling.\r\nEven after doing so, your device might still be infected by countless malicious apps installed by the downloader. To\r\nmake sure your device is clean, we recommend using a reputable mobile security app as a hassle-free way to detect\r\nand remove threats. \r\nHow to stay safe\r\nTo avoid dealing with the consequences of nasty mobile malware, prevention is always the key. Apart from sticking to\r\ntrustworthy websites, there are a couple more things you can do to stay safe.\r\nIf you’re downloading apps or updates in your browser, always check the URL address to make sure you’re installing\r\nfrom the intended source. In this particular case, the only safe place to get your Adobe Flash Player update is from the\r\nofficial Adobe website.\r\nAfter running anything you’ve installed on your mobile device, pay attention to what permissions and rights it\r\nrequests. If an app asks for permissions that don’t seem appropriate to its function, don’t enable these without double\r\nchecking.\r\nLast but not least, even if all else fails, a reputable mobile security solution will protect your device from active\r\nthreats.\r\nIf you’d like to find out more about Android-based malware, look into our latest research on the topic. You’re also\r\nwelcome to stop by ESET’s stand at this year’s Mobile World Congress.\r\nVideo capture from an infected device (time edited)\r\nhttps://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nPage 7 of 9\n\nAnalyzed sample's Indicators of Compromise (IoCs)\r\nPackage Name Hash Detection name\r\nloader.com.loader 4F086B56C98257D6AFD27F04C5C52A48C03E9D62 Android/TrojanDownloader.Agent.JI\r\ncosmetiq.fl C6A72B78A28CE14E992189322BE74139AEF2B463 Android/Spy.Banker.HD\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nPage 8 of 9\n\nSource: https://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nhttps://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/"
	],
	"report_names": [
		"new-android-trojan-mimics-user-clicks-download-dangerous-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434456,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9180e8940d343d0335eec635a2328f3fb8615b4f.pdf",
		"text": "https://archive.orkl.eu/9180e8940d343d0335eec635a2328f3fb8615b4f.txt",
		"img": "https://archive.orkl.eu/9180e8940d343d0335eec635a2328f3fb8615b4f.jpg"
	}
}