In a constant battle between malware authors and cybersecurity developers, new mechanisms are introduced to patch new types of security issues, and malware authors find new exploits to work around them. Cybercriminals found new ways to sneak malware apps into Google Play Store despite Android 13’s restrictions, resulting in a short-lived edge. The security firm Threat Fabric has detected a new wave of bogus updates that spread banking trojans on phones using “dropper” apps.
What is dropper in cybersecurity?
The term dropper refers to a Trojan horse that is designed to install malware on its target machine. Malware contained within a dropper is hard to detect because it’s hidden so that antivirus programs can’t detect it. At the time of installation, the dropper does not contain any malware, and it will only download it once it is activated.
What are SharkBot droppers?
Sharkbot droppers are nasty types of malware that aim to steal user login credentials, especially those that are used to access banking applications. It can even bypass SMS two-factor authentication (2FA) by reading SMS messages and stealing authentication codes.
ThreatFabric has detected a new banking Trojan campaign targeting Italian bank users. Recently, the security firm spotted an app with this particular malware named Codice Fiscale. Over 10,000 people downloaded the app disguised as a tax code calculator. The dropper was particularly nefarious because its authors attempted to conceal its malicious intentions. Code Fiscale did not install malware on the device. Through a fake Play Store page, it outsourced that part to the browser. Once the update button is clicked, the malware APK will be installed, giving the malware authors what they wanted.
What are Vultur droppers?
ThreatFabric discovered Vultur as another malware family in July 2021. Over the last year, it has been very active in stealing personally identifiable information (PII) from infected devices. By using the stolen PINs and passwords, hackers are able to execute actions on the victim’s device, resulting in ODF. Fraud that occurs on the victim’s device is known as On-Device Fraud.
There are three new droppers on the Play Store using this malware with thousands of installations, according to ThreatFabric. These apps pose as apps like security authenticators or file recovery tools.
They follow the same pattern as Sharkbots in that they prompt users to install malware under the guise of updating an application.
In recent campaigns, the “Brunhilda Project” crew has reached over 100,000 fraud victims with their Vultur malware.
Can these be prevented?
Although Play Store policies and security have been constantly changed, ThreatFabric concludes that malware like those mentioned above is “here to stay.” Since other tactics like telephone-based attack delivery require a lot of resources, the Google Play Store remains the most affordable and scalable means of reaching victims.
It is recommended to exercise caution when downloading unpopular apps and not to install any ‘updates’ an app may prompt through the browser. It’s best to uninstall any third-party app that asks you to update it through a browser. Android updates apps through the pre-installed Google Play Store app.
There are a few popular Sharkbot/Vultur malware apps you should remove from your computer if you have them installed.
The following apps have already been removed from the Google Play Store, but if you’ve still installed them, please remove them.
- File Manager Small, Lite
- My Finances Tracker
- Codice Fiscale 2022
- Zetter Authenticator