ThreatFabric researchers found 5 malicious downloader apps in the Google Play Store with over 130,000 downloads.
ThreatFabric researchers discovered five malicious dropper apps on the official Google Play store. Malicious drop apps designed to deliver banking Trojans such as SharkBot and Vultur that have been installed more than 130,000 times.
“Droppers on Google Play go from using AccessibilityService to automatically allow installations from unknown sources to using legitimate sources to control them and store malicious payloads.” Read the analysis published by ThreatFabric. “With updates to the Developer Program Policies and system updates, actors immediately introduced new ways to sneak into the official store, overcome restrictions or adjust droppers to follow guidelines without raising suspicion.”
In early October 2022, experts discovered a new campaign spreading the banking Trojan Sharkbot. The campaign targets Italian bank users using Sharkbot versions 2.29 – 2.32 delivered using the dropper app on Google Play with over 10k installs. The malicious apps were disguised as an app to calculate Italian tax codes (“Codice Fiscale”), targeting Italian users.
Unlike the previous Sharkbot campaign, however, the dropper app used in this campaign uses only three fairly common permissions to avoid suspicion.
To avoid using the REQUEST_INSTALL_PACKAGES permission, the dropper app opens a fake Google Play Store page to simulate the Codice Fiscale app page. The page contains false information about the number of installations and feedback, and advises victims to update their installations. After opening the page, the automatic download starts.
“As a result, the dropper outsources the download and installation process to the browser, avoiding questionable permissions.” continues the report. “Obviously, this method requires more action from the victim, as the browser will display several messages about the downloaded file. However, since the victim is confident of the app’s origin, they will most likely install and run the downloaded Sharkbot payload .”
These droppers are designed to target 231 banking and cryptocurrency wallet applications from entities in Italy, UK, Germany, Spain, Poland, Austria, US, Australia, France and the Netherlands.
Recently, ThreatFabric also discovered 3 new dropper apps on the Google Play Store, with total installs ranging from 1.000 to 100.000. These apps masquerade as security authenticators or file recovery tools and offer new variants of the Vultur Android banking malware.
The new variant supports the additional ability to log user interface elements and interaction events to avoid using the FLAG_SECURE window flag to prevent screen capture.
“Android provides a way to mark window content as safe by using “FLAG_SECURE”, which prevents it from “appearing in screenshots or being viewed on insecure displays”. ThreatFabric tested this and was able to confirm that windows with this flag enabled only show black screen During screen streaming. ” continued reporting. “However, if keyboard Open during interaction with a protected application, it will be visible Recordings and all keys pressed by the victim, leading to possible theft of input data. In this case, even with a black screen, when all UI events are logged and sent to the C2, enough information can be obtained to steal credentials. “
A list of malicious downloaders is included in the report’s appendix.
Follow me on Twitter: @securityaffairs and Facebook
(security affairs – hacker, android)