Threat Fabric mobile security firm reported discovering a new wave of dropper apps has hit the official Google platform Play Store. The apps use bogus updates to get banking trojans installed on users’ devices.
In total, Threat Fabric researchers identified five dropper Android apps. These apps collectively boasted 130,000 installations. All were discovered on Google Play Store and the apps distributed banking trojans like Vultur and SharkBot.
For your information, these trojans can steal financial data and carry out on-device fraud. Here is the list of the five dropper apps, four of which were still hanging around in cyberspace.
- File Manager Small, Lite – No Downloads
- My Finances Tracker – Downloaded 1,000+ times
- Codice Fiscale 2022 – Downloaded 10,000+ times
- Zetter Authenticator – Downloaded 10,000+ times
- Recover Audio, Images & Videos – Downloaded 100,000+ times
Reportedly, the dropper apps’ target includes around 231 banking apps and cryptocurrency wallet apps of financial organizations based in Germany, the UK, Spain, the USA, France, Australia, Poland, the Netherlands, and Austria.
The most recent attack wave involve the distribution of SharkBot malware and the targets were bank users in Italy. The attacks were discovered in early October 2022 and the dropper was disguised as the country’s tax code.
How the Apps Install Malware?
Google’s Developer Program Policy has restricted the use of REQUEST_INSTALL_PACKAGES permission to prevent its abuse through the installation of arbitrary app packages. However, the dropper bypasses this barrier by opening a fake Play Store page imitating the app listing, which results in the downloading of malware disguised as an update.
In another instance, Threat Fabric researchers detected that the dropper acted as a file manager app, a category which as per Google’s new policy can have the REQUEST_INSTALL_PACKAGES permission.
Additionally, Three droppers offering advertised features were also discovered, which were equipped with a secret function of prompting users to install an update after opening the app and granting permission to install apps from unverified sources.
This led to the distribution of Vultur. Its new variant comes with enhanced capabilities, such as it can log user interaction and interface elements more extensively, including gestures and clicks.
Dropper Apps- An Emerging New Threat
In their blog post, researchers at Threat Fabric claim to have observed a sudden increase in threat actors’ reliance on dropper apps. In fact, it has become quite a popular and effective method of distributing banking trojans to unsuspecting users. Threat actors are continuously improving their attack tactics to evade Google’s limitations and increase the attack’s effectiveness.
“This evolution includes following newly introduced policies and masquerading as file managers and overcoming limitations by side-loading the malicious payload through the web browser.”
This uptick in dropper apps in official stores like Google Play Store is due to the reason that these don’t contain malware. The malicious code is fetched after the app is installed on a vulnerable device. The suspicious activities run in the background, without raising red flags.