NOVEMBER 1, 2022
Malware authors and cybersecurity developers are locked in a constant war where new mechanisms are introduced to patch new types of security issues, and malware authors find new exploits to work around them. While Android 13 introduced a bunch of restrictions, helping the OS gain an edge, the advantage was apparently shortlived and cybercriminals found new ways to sneak malware apps into the Google Play Store. Mobile security firm Threat Fabric has discovered a new wave of “dropper” apps on the official store that use bogus updates to get banking trojans installed on users’ devices.
What are droppers?
A dropper is a kind of Trojan that’s been designed to install some sort of malware on a target machine. Malware that’s contained within the dropper is hard to spot because it’s hidden in a way that avoids detection by antivirus programs. The dropper doesn’t contain any malware at the time of installation and may only download it once it’s activated.
Sharkbot droppers are a nasty type of malware that are designed to steal user login credentials, particularly those that are used to login into banking applications. This kind is even capable of bypassing SMS two-factor authentication (2FA) by reading SMS messages to steal authentication codes.
Threatfabric has spotted a new campaign of banking Trojan Sharkbot targeting Italian banking users. One of the apps with this particular malware named Codice Fiscale was spotted by the security firm recently. The app garnered over 10,000 installations and was disguised as a tax code calculator. It was particularly nefarious because its authors did their best to hide the malicious intents of the dropper. Codice Fiscale did not install malware on the device on its own. Instead, it outsourced that part to the browser by opening up a fake Play Store page asking to update the app. Clicking the update button installs the malware APK, giving the authors what they wanted.
Vultur is another malware family discovered in July 2021 by ThreatFabric. It has been very active in the last year and specializes in stealing personally identifiable information (PII) from infected devices by recording/keylogging certain applications. The stolen PINs and passwords are then used by hackers to perform actions on the victim’s device, effectively leading to ODF. ODF stands for On-Device Fraud, which is a type of fraud where transactions are initiated from a victim’s device.
ThreatFabric has spotted 3 new droppers on the Play Store making use of this malware with thousands of installations. These apps pose as apps like security authenticators or file recovery tools. Such apps install malware in a very similar manner to Sharkbots, in that they prompt the user to install malware on the pretext of an app update.
One of the most successful distributors of the Vultur malware are the “Brunhilda Project” crew, whose campaigns in the past few months campaigns have reached over 100,000 potential fraud victims.
What can be done to avoid these?
ThreatFabric concludes that despite Play Store’s constant changes to policy and security, malware like the ones mentioned above are “here to stay.” The Google Play Store remains the most affordable and scalable way of reaching victims because other tactics like telephone-oriented attack delivery require lot more resources.
In such a case, it’s advisable to exercise caution when downloading unpopular apps and not to install any ‘updates’ that an app may prompt via the browser. The Android system updates apps through the pre-installed Google Play Store app, and if any third-party app asks you to update through a browser, then it’s best to uninstall it.
List of popular Sharkbot/Vultur malware apps you’d want to remove if they’re installed
Of course, the following apps have already been pulled from the Play Store, but if you happen to still have them installed, then you’d want to delete them immediately.
- Codice Fiscale 2022
- File Manager Small, Lite
- My Finances Tracker
- Zetter Authenticator