The app hides itself inside Solitaire and flashlight apps, and was first detected on 13 October.
Once downloaded, the trojan then waits for users to login to selected banking apps. It will even intercept text messages for two-factor authentication, making it especially dangerous for bank account logins.
Think scanning your apps will detect the trojan? Apparently the malware is smart enough to hold back from connecting to an external server to download malicious code by two hours, meaning it might be able to bypass security software.
Moral of the story: there's no such thing as a free lunch...or flashlight. Download apps only from trusted sources and perhaps avoid sideloading apps from dodgy websites.