Malware droppers installing banking trojans caught with 130,000 Play Store downloads

Reporters over at Threat Fabric have discovered a new set of Android malware droppers installing banking trojans disguised as app updates. The malware being distributed are strains Sharkbot, and Vultur, and the five droppers have a combined 130,000 installations. 

Malware droppers are a category of malware that installs the actual malicious payload as app updates. This makes them harder to catch as the actual dropper doesn’t have any malicious code and hence makes it onto the Google Play Store without raising suspicion. The researchers also pointed out an increase in the use of droppers as attack vectors due to the aforementioned reasons. 

Sharkbot was the first of the two droppers spotted by the researchers at the beginning of October. Two relatively harmless-looking apps were pushing it called Codice Fiscale 2022 and File Manager Small Lite. The former was disguised as a tax calculating tool in Italy and has been downloaded nearly 10,000 times. The latter delivers a variant of Sharkbot configured to load overlays for banks in Italy, the UK, Germany, Spain, Poland, Austria, Australia, and the United States.

Upon installation, Codice Fiscale 2022 prompts the user to install a fake update which installs the malicious Sharkbot payload. The app requires the REQUEST_INSTALL_PACKAGES permission to do this, and current Android versions warn the user of potentially malicious activity that can happen as a result of granting this permission. 

To counter this, the app loads a webpage impersonating Google Play and making the user tap an update button, bypassing the permission and downloading the payload as a separate app. This particular payload targets Italian banks using fake overlays, SMS interception for OTP capturing, keylogging and cookie stealing. 

The second trojan, Vultur, is being propagated by apps named Recover Audio, Images & Videos, Zetter Authentication and My Finances Tracker, which have been downloaded 100,000, 10,000 and 1000 times, respectively. 

These apps also employ the same tactics as the Sharkbot droppers to trick users into installing the so-called update. They also don’t carry the installation logic in the file uploaded on the Play Store to avoid detection. The installation instructions are later inserted dynamically by an additional DEX file sent by the attacker’s C2 server. Additionally, these droppers also include AES encryption to obfuscate strings and avoid detection from automated scanners. 

In the News: Android malware caught targeting 18 Indian banks