Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malicious dropper apps on Play Store totaled 30.000+ installations

ThreatFabric researchers discovered five malicious dropper apps on Google Play Store with more than 130,000 downloads. Researchers at ThreatFabric have discovered five malicious dropper apps on the official Google Play Store. The malicious dropper apps are designed to deliver banking trojans, such as SharkBot and Vultur, that already totaled over 130,000 installations. “Droppers on Google Play went […]

dropper apps Android

ThreatFabric researchers discovered five malicious dropper apps on Google Play Store with more than 130,000 downloads.

Researchers at ThreatFabric have discovered five malicious dropper apps on the official Google Play Store. The malicious dropper apps are designed to deliver banking trojans, such as SharkBot and Vultur, that already totaled over 130,000 installations.

“Droppers on Google Play went from using AccessibilityService to auto-allow installation from unknown sources to using legitimate sources to control them and store malicious payloads.” reads the analysis published by ThreatFabric. “Following the updates to the “Developer Program Policy” and system updates, actors immediately introduce new ways to sneak to the official store, overcoming limitations or adjusting droppers to follow the guidelines and not arouse suspicion.”

In the beginning of October 2022, the experts uncovered a new campaign spreading the banking Trojan Sharkbot. The campaign is targeting Italian banking users with Sharkbot version 2.29 – 2.32 that were delivered using dropper apps on Google Play with 10k+ installations. The malicious apps were masqueraded as an app to calculate tax code in Italy (“Codice Fiscale”) targeting Italian users.

dropper apps Android

However, unlike previous Sharkbot campaigns, the dropper apps used in this campaign only used three permissions that are quite common to avoid raising suspicion.

To avoid using REQUEST_INSTALL_PACKAGES permission, the dropper apps open a fake Google Play store page impersonating Codice Fiscale app page. The page contains fake information about the number of installations and feedback and recommends the victim update their installs. Once the page is opened, the automatic download starts.

“Thus, the dropper outsources the download and installation procedure to the browser, avoiding suspicious permissions.” continues the report. “Obviously, such approach requires more actions from the victim, as the browser will show several messages about the downloaded file. However, since victims are sure about the origin of the application, they will highly likely install and run the downloaded Sharkbot payload.”

The droppers are designed to target include 231 banking and cryptocurrency wallet apps from entities in Italy, the U.K., Germany, Spain, Poland, Austria, the U.S., Australia, France, and the Netherlands.

Recently, ThreatFabric also discovered 3 new dropper apps on the Google Play store, the apps totaled from 1.000 to 100.000 installations. The apps masqueraded as security authenticators or file recovery tools and deliver a novel variant of Vultur Android Banking malware.

The new variant supports additional capabilities to log user interface elements and interaction events to avoid using the FLAG_SECURE window flag to prevent screen captures.

“Android offers a way to tag the content of the window as secure, by using the “FLAG_SECURE”, which prevents it “from appearing in screenshots or from being viewed on non-secure displays”. ThreatFabric tested this and is able to confirm that windows with this flag enabled only show a black screen during screen-streaming.” continues the report. “However, if the keyboard is opened during interaction with the secured app, it will be visible on the recording as well as all the keys pressed by victim leading to potential theft of input data. In this case, it is possible to obtain enough information to steal credentials even with a black screen, when all the UI events are logged and sent to the C2.”

The list of malicious droppers is included in the Appendix of the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]