Malicious Dropper Apps on Google Play Store Distribute Trojans

Cybercriminals are once again using Google Play Store apps to distribute malicious code, but this time they’re targeting financial data exclusively. Cybersecurity researchers from Threatfabric discovered 5 dropper apps responsible for distributing malware to more than 130,000 systems.

Google’s Play Store hosts millions of apps that see billions of downloads every year, but not all of them are safe. Many apps are made to steal data and install backdoors into a user’s system. They run code in the background with the purpose of extracting valuable information that the threat actors can use to commit fraud and identity theft.

More and more such apps, known as droppers, bypass Google’s restrictions despite the company’s increasing efforts to remove malicious content. Droppers are just apps that deliver the advertised features but they also contain a trojan payload. Your garden-variety antivirus and firewall rarely flags droppers as suspicious.

Sharkbot Dropper Campaign Targets Banking Users

ThreatFabric discovered the Sharkbot dropper campaign earlier in October 2022. The malware was targeting banking users from Italy through an app on the Play Store called “Codice Fiscale.” The software was disguising itself as a tax calculator for Italy, but it also installed a trojan that would seek data from banking apps and crypto wallets.

The dropper apps didn’t arouse suspicion from Google because they followed the guidelines. Sharkbot used common permissions that wouldn’t trip Google’s alarms. ThreatFabric explained:

Following the updates to the Developer Program Policy and system updates, actors immediately introduce new ways to sneak to the official store, overcoming limitations or adjusting droppers to follow the guidelines and not arouse suspicion.

Sharkbot tricked users by launching a fake Play Store page resembling the legit one. It convinced them to update the app by displaying fake information about downloads and reviews. The dropper would then start the installation process automatically through the browser without using suspicious permissions like REQUEST_INSTALL_PACKAGES, which would normally trigger Google’s defense systems.

Screenshot showing Sharkbot dropper Codice Fiscale and its permissions
Image credit: ThreatFabric

While this Sharkbot dropper targeted only Italian users, another one called “File Manager” was configured to distribute the trojan to users in the US, Germany, France, Australia, the UK, and other countries in Europe.

The Brunhilda Project Hacker Group Is Back

Sharkbot wasn’t the only dropper discovered by ThreatFabric. The researchers identified three more apps distributing an Android banking trojan known as Vultur. The malware is programmed to steal data, but it also streams the screen of the victim and allows the hacker to perform actions directly on the infected system.

Screenshot displaying the Vulture dropper campaign using Google Play Store apps
Image credit: ThreatFabric

Vultur is known for being used by the Brunhilda Project threat actor. These hackers distribute Android banking malware through droppers that bypass all of Google’s security checks. Recently, they used three apps, namely “My Finances Tracker,” “Zetter Authenticator,” and “Recover Audio, Images & Videos” to deliver the Vultur payload. Up to 100.000 installations were reported by Google.

How to Protect Yourself Against Google Play Droppers

As mentioned, droppers are just trojanized apps. Google continuously updates its security measures, but this malware delivery method uses social engineering to convince the user to install the virus. This means you need to take several steps to actually download and install the malware payload. So here are a few things you can do to avoid falling for a convincing dropper:

          • Vet any app before installing it. Stick to well-known companies and check reviews from multiple sources.
          • Pay attention to suspicious links. Don’t click on anything unsolicited.
          • Use a reliable VPN to shield your network connection and encrypt your data. Try CyberGhost VPN – we secure up to 7 devices simultaneously and we don’t log your data.
          • Stick to reputable stores. No online store is 100% safe, but large ones like the Play Store are definitely less risky than third-party platforms.
          • Check your system regularly for unknown apps running in the background and remove them. 

As more and more people are using smartphones for financial transactions, cybercriminals are targeting Android users with more sophisticated viruses. They want your login info, banking data, and any valuable information they can get their hands on. Secure all of your devices and take precautionary measures to avoid malware and keyloggers.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*