These Dropper Apps on the Play Store Are Aimed at Over 200 Different Cryptocurrency Wallets.
On the Google Play Store, researchers found five malicious dropper Android apps that had a cumulative total of more than 130,000 installations. These apps were found to be distributing banking trojans such as SharkBot and Vultur, which are capable of stealing financial data and carrying out on-device fraud.
The Dutch mobile security company ThreatFabric told The Hacker News in a statement that "these droppers continue the unstoppable growth of malicious applications slipping to the official market."
"This evolution involves following newly established policies and masquerading as file managers and circumventing limits by side-loading the malicious payload via a web browser," says one expert. "This evolution includes following newly introduced regulations."
These droppers have set their sights on 231 banking and cryptocurrency wallet applications developed by financial institutions in countries such as Italy, the United Kingdom, Germany, Spain, Poland, Austria, the United States of America, France, Australia, and the Netherlands.
Dropper apps on official app stores such as Google Play have become an increasingly popular and efficient technique for distributing banking malware to users who are not aware that they are being targeted. This is the case despite the fact that the threat actors behind those campaigns are continually refining their tactics in order to circumvent the restrictions imposed by Google.
The following is a list of harmful applications, four of which are still accessible to download from the relevant digital marketplace:
Codice Fiscale 2022 (com.iatalytaxcode.app) - 10,000+ downloads
File Manager Small, Lite (com.paskevicss752.usurf) - zero downloads
Monitor of My Financial Situation (com.all.finance.plus) - 1,000+ downloads
Retrieve Lost Audio, Pictures, and Videos (com.umac.recoverallfilepro) - 100,000+ downloads
Over 10,000 people have downloaded the Zetter Authenticator app (com.zetter.fastchecking).
The most recent round of SharkBot assaults, which began at the beginning of October 2022 and targeted Italian banking customers, included the deployment of a dropper that pretended to be in order to ascertain the tax law that applies in the nation ("Codice Fiscale 2022").
Although Google's Developer Program Policy places restrictions on how the REQUEST INSTALL PACKAGES permission can be used, in order to prevent it from being abused and used to install arbitrary app packages, the dropper is able to circumvent these restrictions once it has been launched. It does this by opening a fake Google Play store page that impersonates the app listing, which then causes the malware to be downloaded under the guise of an update.
Criminal actors will often use more than one strategy to commit their crimes, and one of those strategies is to outsource the virus retrieval to the browser. In another incident that was discovered by ThreatFabric, the dropper pretended to be an application for managing files, which, in accordance with Google's new policy, is a category that is permitted to have the REQUEST INSTALL PACKAGES permission.
Also found were three droppers that offered the advertised features but also came with a covert function that prompted the users to install an update upon opening the apps and granted them permission to install apps from unknown sources, which ultimately led to the delivery of Vultur. These droppers were identified.
According to ThreatFabric, the new variant of the trojan is notable for adding capabilities to extensively log user interface elements and interaction events (such as clicks, gestures, and so on). This could be a workaround for banking applications that use the FLAG SECURE window flag to prevent themselves from being captured in screenshots.
Cyble found an updated version of the Drinik Android trojan, which targets 18 Indian banks by pretending to be the official app for the country's tax department in order to steal personal information by abusing the accessibility services API. The findings from ThreatFabric come at the same time as Cyble's discovery of the upgraded version of the trojan.
The business made the following observation: "Distribution using droppers on Google Play still remains the most 'cheap' and scalable technique of reaching victims for most of the actors of varying degrees."
"While more advanced strategies such as telephone-oriented assault delivery demand more resources and are difficult to scale, droppers on official and third-party shops enable threat actors to reach a huge unknowing audience with acceptable efforts,"
Post a Comment