The company did not specify how the malware gained access to a mobile device. Once it did, a check was done to determine the language of the device and if it was Russian, then the malware did nothing further.
In all other cases, a pop-up appears asking for permission to use accessibility services, which, while a legitimate set of tools for users with disabilities, can also be used for nefarious purposes.
Sophos said Invisible Man used the accessibility services to draw things on the screen of the mobile device and then installed itself as the default app for SMS.
"The overlay intercepts keystrokes the victim thinks they’re typing into the app underneath such as usernames and passwords."
If the user tried to open Google Play Store, a pop-up would appear asking for credit card details.
The company said the appearance of notifications for Flash updates was one red flag to watch out for, but admitted that since Flash was full of holes, one could not forgo updates.
However, requests to use accessibility services should be considered a warning sign, it said.