Google Play Store's Dropper Apps are targeting over 200 banking wallets

Several Android malware droppers were found transmitting banking trojans posing as app updates to the Google Play store. The ease of infection for droppers, the malware that they do not include on their own, makes it difficult to prevent them from being added to the Play store.

At the same time, they do not raise suspicion among users as they advertise the advertised functionality, and malicious behavior is conducted behind the scenes.

Five malicious dropper android apps have been discovered with more than 130,000 cumulative installations on the play store that distribute banking trojans, such as SharkBot and Vultur, which are capable of stealing financial data and performing on-device fraud.

Researchers have recently found the more contemporary set that droppers use for distributing android malware. These malicious programs can supply a stealthy path to infecting devices.

The increasing restrictions and safeguards of significant android operating system releases are meant to prevent malware from abusing permissions, fetching malicious modules from external sources, or using the accessibility service to endlessly interact with the gadget.

Google Play Store's Dropper Apps are targeting over 200 banking walletsScammers have used dropper apps on Google Play to distribute banking malware to unwitting users, and the perpetrators of these campaigns have continued to refine their methods to evade limits imposed by Google.

The list of malicious apps, four of which are still available on the digital marketplace, is below -

1. Codice Fiscale 2022 (com.iatalytaxcode.app) - 10,000+ downloads
2. My Finances Tracker (com.all.finance.plus) - 1,000+ downloads
3. Recover Audio, Images & Videos (com.umac.recoverallfilepro) - 100,000+ downloads
4. Zetter Authenticator (com.zetter.fastchecking) - 10,000+ downloads

The SharkBot campaign

The first cryptocurrency mining campaign identified by researchers is known as the SharkBot banking trojan. The malware can gather accurate information using fake login prompts presented to users in fake website login forms, but the keylogging feature can steal passwords, hide SMS messages, and take remote control over mobile devices.

The researchers found two harmless-looking dropper apps designed to download SharkBot onto victims' mobile devices. The first app, 'Codice Fiscale 2022', is disguised as a tool to calculate tax payments in Italy and has been downloaded 10,000 times.

If the user installs a malicious dropper app, it prompts them to install a fake update, which installs the SharkBot malware on their device.

To install additional packages from a remote server, Google has certain apps that must request the "REQUEST_INSTALL _PACKAGES." But newer versions of Android warn about the dangers of this permission, making it more difficult for people to persuade one another to install the "update."

The dropper instead opens a webpage made to appear like Google Play, tricking the user into tapping the "Update" button from the browser.

The SharkBot version it drops targets Italian banks using fake login overlays, SMS interception for two-factor codes, keylogging, and a cookie stealer. The File Manager dropper app delivers a wider-ranging version, configured to load overlays for banks in Italy, the UK, Germany, Spain, Poland, Austria, Australia, and the United States.

The Vultur campaign

Another campaign using dropper programs delivers the Vultur malware, a banking Trojan operated by a fraudster nicknamed the "Brunhilda Project." Vultur can perform on-device fraud by distributing its operators remote screen streaming and remote keyboards for social media and messaging apps.

The new variant seen in the latest campaign of Threat Fabric’s new campaign also includes a yet unseen system of logging user interface gestures, kills, as well as the activities carried out by the user on the device. The attack developers’ addition of this component aimed to circumvent the screenshot security flag restriction on Android, which prevents user data from appearing on screenshots or screencasts.

The droppers distributing Vultur are the following:

1. ‘Recover Audio, Images & Videos’ – 100,000 downloads
2. ‘Zetter Authentication’ – 10,000 downloads
3. ‘My Finances Tracker’ – 1,000 downloads

Like the Sharkbot droppers, these also display a request to install a fake update disguised as a Google Play notice. If the user allows the update to install, it will download and install the Vandal malware.

For the sake of avoiding discovery by the Play Store, the attack logic isn't contained in the dropper processes but instead dynamically implemented in an additional dex file sent by the assailant's command-and-control servers. In addition, the droppers encrypt their strings using AES encryption to conceal all functions from automated scanners.

Additionally found were three apps that offered the advertised features but had a covert function that prompted the users to install an update upon opening the app and grant them permission to install apps from untrusted sources, which led to the installation of Vultur.

The trojan, which has been updated, has various features to thoroughly log the user interface elements and interactions of users (e.g., clicks, gestures, etc.), which researchers said could be used as a workaround to the use of the FLAG_SECURE flag in banking applications so those applications will effectively not be captured in screenshots.

The downside of using droppers is that the required victim's participation in distinct actions are essential for the malware installation to occur. However, using well-crafted distribution channels and interfaces will remain the universal method to install malware.

It is always important to verify if apps that you're installing are downloaded from the legitimate Google Play Store website rather than from a third-party site.

Found this article interesting? Follow Terraeagle on Facebook, and LinkedIn to read more exclusive content we post.