• Malicious actors are using a new way to install banking trojans on devices
  • Researchers discovered it is via malware droppers
  • Unlike malicious apps, malware droppers can easily get into app services because they do not have malicious codes

Security researchers uncovered a set of malware droppers on Google Play Store disguising as app updates to install banking trojans on devices. If you have any of these apps, uninstall them immediately.

Compared to malicious apps, malware dropper apps are much harder to spot but they can easily get into the app store like the Google Play Store since they do not contain malicious codes. However, as soon as users install them, they infect the device, install banking trojans and get a hold of the user's device and even the funds linked to their mobile phones.

ThreatFabric, a computer support and service based in Amsterdam, which first discovered these new apps, detailed these malware droppers in a new blog post. The team reported the surge in the use of malware droppers for malware citing the apps' ability to provide a stealthy path of infecting devices.

These droppers reportedly install banking Trojan Sharkbot and Vultur. "At the beginning of October 2022, ThreatFabric analysts spotted a new campaign of banking Trojan Sharkbot, targeting Italian banking users. This campaign involved Sharkbot version 2.29 – 2.32. Following the research path, our analysts were able to identify the dropper app located on Google Play with 10k+ installations and disguised as an app to calculate tax code in Italy ("Codice Fiscale") targeting Italian users," the blog revealed.

SharkBot is an Android malware with the ability to "steal credentials via fake login prompts overlayed on legitimate website login forms, perform keylogging, steal and hide SMS messages, and take remote control over a mobile device," explained Bleeping Computer. Vultur, on the other hand, has the ability to "perform on-device fraud by offering its operators remote screen streaming and keylogging for social media and messaging apps."

Researchers discovered sharkbot on Codice Fiscale 2022' and 'File Manager Small, Lite.' Vultur was discovered in apps such as 'Recover Audio, Images & Videos,' 'Zetter Authentication' and 'My Finances Tracker.'

If you have any of these apps installed in your devices, uninstall them immediately.

"Distribution through droppers on Google Play still remains the most "affordable" and scalable way of reaching victims for most of the actors of different level," Threat Fabric said. "While sophisticated tactics like telephone-oriented attack delivery require more resources and are hard to scale, droppers on official and third-party stores allow threat actors to reach wide unsuspecting audience with reasonable efforts."

Android malware
An Android banking trojan called Red Alert 2.0 is stealing credentials for banking and social media apps. Blogtrepreneur