Researchers at ThreatFabric have discovered five malicious dropper apps on the official Google Play Store. The malicious dropper apps are designed to deliver banking trojans, such as SharkBot and Vultur, that already totaled over 130,000 installations.
“Droppers on Google Play went from using AccessibilityService to auto-allow installation from unknown sources to using legitimate sources to control them and store malicious payloads.” reads the analysis published by ThreatFabric. “Following the updates to the “Developer Program Policy” and system updates, actors immediately introduce new ways to sneak to the official store, overcoming limitations or adjusting droppers to follow the guidelines and not arouse suspicion.”
In the beginning of October 2022, the experts uncovered a new campaign spreading the banking Trojan Sharkbot. The campaign is targeting Italian banking users with Sharkbot version 2.29 – 2.32 that were delivered using dropper apps on Google Play with 10k+ installations. The malicious apps were masqueraded as an app to calculate tax code in Italy (“Codice Fiscale”) targeting Italian users.
However, unlike previous Sharkbot campaigns, the dropper apps used in this campaign only used three permissions that are quite common to avoid raising suspicion.
To avoid using REQUEST_INSTALL_PACKAGES permission, the dropper apps open a fake Google Play store page impersonating Codice Fiscale app page. The page contains fake information about the number of installations and feedback and recommends the victim update their installs. Once the page is opened, the automatic download starts.
“Thus, the dropper outsources the download and installation procedure to the browser, avoiding suspicious permissions.” continues the report. “Obviously, such approach requires more actions from the victim, as the browser will show several messages about the downloaded file. However, since victims are sure about the origin of the application, they will highly likely install and run the downloaded Sharkbot payload.”
The droppers are designed to target include 231 banking and cryptocurrency wallet apps from entities in Italy, the U.K., Germany, Spain, Poland, Austria, the U.S., Australia, France, and the Netherlands.
Recently, ThreatFabric also discovered 3 new dropper apps on the Google Play store, the apps totaled from 1.000 to 100.000 installations. The apps masqueraded as security authenticators or file recovery tools and deliver a novel variant of Vultur Android Banking malware.
The new variant supports additional capabilities to log user interface elements and interaction events to avoid using the FLAG_SECURE window flag to prevent screen captures.
“Android offers a way to tag the content of the window as secure, by using the “FLAG_SECURE”, which prevents it “from appearing in screenshots or from being viewed on non-secure displays”. ThreatFabric tested this and is able to confirm that windows with this flag enabled only show a black screen during screen-streaming.” continues the report. “However, if the keyboard is opened during interaction with the secured app, it will be visible on the recording as well as all the keys pressed by victim leading to potential theft of input data. In this case, it is possible to obtain enough information to steal credentials even with a black screen, when all the UI events are logged and sent to the C2.”
The list of malicious droppers is included in the Appendix of the report.
(SecurityAffairs – hacking, Android)