New Dropper apps in Play Store targeting banking and crypto wallets

New Dropper apps in Play Store targeting banking and crypto wallets

The Threat Fabric mobile security firm reported that it discovered a new wave of dropper apps has hit the official Google platform Play Store. The apps use fake updates to install banking trojans on users’ devices.

Finding details

In total, Threat Fabric researchers identified five Android app drops. These apps have a total of 130,000 installs. All were discovered on the Google Play Store and the apps distributed banking trojans such as Vultur and SharkBot.

For your information, these trojans can steal financial data and perform fraud on the device. Here is the list of the five dropper apps, four of which were still hanging around in cyberspace.

  1. File manager small, small – no downloads
  2. My Finances Tracker – Downloaded 1000+ times
  3. Codice Fiscale 2022 – Downloaded 10,000+ times
  4. Zetter Authenticator – Downloaded 10,000+ times
  5. Recover Audio, Photos and Videos – Downloaded 100,000+ times

Potential targets

Reportedly, the dropper apps’ targets include around 231 banking apps and cryptocurrency wallet apps from financial organizations based in Germany, the UK, Spain, the US, France, Australia, Poland, the Netherlands and Austria.

The latest wave of attacks involves the distribution of SharkBot malware and the targets were bank users in Italy. The attacks were discovered in early October 2022 and the dropper was disguised as the country’s tax code.

How do apps install malware?

Google’s Developer Program Guidelines have restricted the use of the REQUEST_INSTALL_PACKAGES permission to prevent their abuse through the installation of arbitrary app packages. However, the dropper bypasses this barrier by opening a fake Play Store page that mimics the app listing, resulting in the download of malware disguised as an update.

New Dropper apps in Play Store targeting banking and crypto wallets

In another case, Threat Fabric researchers discovered that the dropper acted as a file manager app, a category that, according to Google’s new policy, can have the REQUEST_INSTALL_PACKAGES permission.

See also  Un pédophile de Swindon qui a fait commettre des actes sexuels à des adolescents sur des chiens emprisonné pendant 14 ans

In addition, three droppers were also discovered that offer advertised features, which were equipped with a secret feature to ask users to install an update after opening the app and giving permission to install apps from unverified sources.

This led to the distribution of Vulture. The new variant comes with improved features such that it can log user interaction and interface elements more extensively, including gestures and clicks.

Dropper apps – a new threat on the way

In their blog posts, researchers at Threat Fabric claim to have observed a sudden increase in threat actors’ reliance on dropper apps. In fact, it has become quite a popular and effective method of distributing banking Trojans to unsuspecting users. Threat actors are constantly improving their attack tactics to avoid Google’s limitations and increase attack effectiveness.

“These developments include following newly introduced guidelines and masquerading as file handlers and overcoming limitations by sideloading the malicious payload through the browser.”

This increase in dropper apps in official stores like Google Play Store because these do not contain malicious software. The malicious code is retrieved after the app is installed on a vulnerable device. The suspicious activities go on in the background, without raising red flags.

  1. Fake crypto apps in the Play Store steal user data
  2. Fake Bitcoin Wallet Apps Found in Google Play Store
  3. Malware-infected Minecraft modpacks hit the Google Play Store
  4. 38% of Android VPN apps in the Play Store plagued with malware
  5. DawDropper Malware targets Android devices via the Play Store

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *