Latest News

Android Trojan Mimics Clicks In Order To Download Malware

Android users have been exposed to a new malicious app imitating Adobe Flash Player that serves as a potential entrance for many types of dangerous malware. The application, detected by ESET security software as Android/TrojanDownloader.Agent.JI, tricks its victims into granting it special permissions in the Android accessibility menu and uses these to download and execute additional malware of the attackers’ choice.

Fake flash update screen

 The trojan appears to target devices running Android, including the latest versions. It is distributed via compromised websites – adult video sites, but also via social media. Under the pretense of safety measures, the websites lure users into downloading a fake Adobe Flash Player update. If the victim falls for the legitimate-looking update screen and runs the installation, they have more deceptive screens to look forward to.

How does it work?

Pop up suggesting ‘saving battery’ option


Once the service is enabled, the fake Flash Player icon hides from the user. However, in the background, the malware is busy contacting its C&C server and providing it with information about the compromised device. The server responds with a URL leading to a malicious app of the cybercriminal’s choice – in the detected case, a banking malware (though it could be any malware ranging from adware through spyware, and on to ransomware). After acquiring the malicious link, the compromised device displays a bogus lock screen with no option to close it, covering the ongoing malicious activity beneath it.

This is when the permission to mimic the user’s clicks comes in handy – the malware is now free to download, install,

Lock screen displayed while malware is downloaded

execute and activate device administrator rights for additional malware without the user’s consent, all while remaining unseen under the fake lock screen. After the app’s secret shenanigans are done, the overlay screen disappears and the user is able to resume using their mobile device – now compromised by the downloaded malware.

Has my device been infected? How do I clean it?

If you think you might have installed this fake Flash Player update in the past, you can easily verify by checking for ‘Saving Battery’ under Services in the Accessibility menu. If listed under the services, your device may very well be infected. Denying the service its permissions will only bring you back to the first pop up screen and will not get rid of Android/TrojanDownloader.Agent.JI.

To remove the downloader, try manually uninstalling the app from Settings -> Application Manager -> Flash-Player.

In some instances, the downloader also requests the user to activate Device administrator rights. If that turns out to be the case and you can’t uninstall the app, deactivate the administrator rights by going to Settings -> Security -> Flash-Player and then proceed with uninstalling.

Even after doing so, your device might still be infected by countless malicious apps installed by the downloader. To make sure your device is clean you could download a reputable mobile security app.

How to stay safe

To avoid dealing with the consequences of nasty mobile malware, prevention is always the key. Apart from sticking to trustworthy websites, there are a couple more things you can do to stay safe.

If you’re downloading apps or updates in your browser, always check the URL address to make sure you’re installing from the intended source. In this particular case, the only safe place to get your Adobe Flash Player update is from the official Adobe website.

After running anything you’ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for permissions that don’t seem adequate to its function, don’t enable these without double checking.


Get Safe Online is the UK’s leading source of factual and easy-to-understand information on online safety. Their website offers advice on how you can protect yourself, your computers and devices, and your business against the likes of fraud, identity theft, viruses and other potential online problems.

ThinkUKnow is a national website which offers tailored advice to young people about online safety concerns. There is also a section on there if you are a parent/carer or a teacher who is concerned about a young person’s safety online.

%d bloggers like this: