Malicious dropper apps in the Play Store totaled 30,000+ installations Security Affairs

ThreatFabric researchers discovered five malicious dropper apps in the Google Play Store with more than 130,000 downloads.

Researchers at ThreatFabric have discovered five malicious dropper apps in the official Google Play Store. The malicious dropper apps are designed to deliver banking trojans, such as SharkBot and Vultur, which already have a total of over 130,000 installations.

“Droppers on Google Play went from using AccessibilityService to automatically allow installation from unknown sources to using legitimate sources to control them and store malicious payloads.” reads the analysis published by ThreatFabric. “After the updates to the “Developer Program Policy” and system updates, players immediately introduce new ways to sneak into the official store, overcome restrictions or adjust droppers to follow the guidelines and not raise suspicion.”

At the beginning of October 2022, the experts uncovered a new campaign spreading the banking trojan Sharkbot. The campaign targets Italian bank users with Sharkbot version 2.29 – 2.32 which were delivered with dropper apps on Google Play with 10k+ installs. The malicious apps were masquerading as an app to calculate tax code in Italy (“Codice Fiscale”) targeting Italian users.

However, unlike previous Sharkbot campaigns, the dropper apps used in this campaign only used three permissions which are quite common to avoid raising suspicion.

To avoid using REQUEST_INSTALL_PACKAGES permission, the dropper apps open a fake Google Play Store page that mimics the Codice Fiscale app page. The page contains false information about the number of installations and feedback and advises the victim to update their installations. Once the page is opened, the automatic download will start.

“Thus, the dropper outsources the download and installation procedure to the browser, avoiding suspicious permissions.” the report continues. “Obviously, such an approach requires more actions from the victim, as the browser will display more messages about the downloaded file. However, since victims are sure of the origin of the program, they will most likely install and run the downloaded Sharkbot payload.”

The drops are designed to target, among others, 231 bank and cryptocurrency wallets from entities in Italy, the UK, Germany, Spain, Poland, Austria, the US, Australia, France and the Netherlands.

Recently, ThreatFabric also discovered 3 new dropper apps in the Google Play Store, the apps accounted for from 1,000 to 100,000 installs. The apps are masquerading as security authentication tools or file recovery tools and deliver a new variant of the Vultur Android Banking malware.

The new variant supports additional features to log UI elements and interaction events to avoid using the FLAG_SECURE window flag to prevent screen capture.

“Android provides a way to mark the contents of the window as secure by using “FLAG_SECURE”, which prevents it “from appearing in screenshots or from being viewed on non-secure screens”. ThreatFabric tested this and can confirm that windows with this flag enabled only display one black screen during screen streaming.” the report continues. “But if keyboard opened during interaction with the secured app, it will be visible on the recording as well as all keys pressed by the victim leading to potential theft of input data. In this case, it is possible to get enough information to steal credentials even with a black screen, once all the UI events are logged and sent to C2.”

The list of malicious droppers is included in the appendix of the report.

Follow me on Twitter: @securityaffairs and Facebook