Five Play Store Droppers Target 200 Banking and Cryptocurrency Wallets Apps
SharkBot and Vultur Trojans Were Used in the Operation.
Five malicious apps that combined have over 130,000 installations on Android devices have been discovered in Google Play Store. The apps have targeted 231 banking and cryptocurrency wallet apps with the help of trojans such as SharkBot and Vultur. Targeted countries include the U.S., the U.K., Italy, Germany, France, Spain, Poland, Australia, Austria, and the Netherlands.
Details on the Operation
Dropper apps on official app stores like Google Play have increasingly become a popular and efficient technique to distribute banking malware to unsuspecting users, even as the threat actors behind those campaigns continually refine their tactics to bypass restrictions imposed by Google.
The five apps involved in the operation are:
- Codice Fiscale 2022
- My Finances Tracker
- File Manager Small, Lite
- Zetter Authenticator
- Recover Audio, Images & Videos
4 out of the 5 dropper apps are still available in the Play Store. The most recent wave of SharkBot assaults has targeted Italian banking users since the start of October 2022. These attacks involved the deployment of a dropper that pretended to be a to learn the country’s tax code (“Codice Fiscale 2022”).
Although Google’s Developer Program Policy limits the use of the REQUEST_INSTALL_PACKAGES permission to prevent the system from being abused to install arbitrary app packages, the dropper gets around this obstacle by impersonating the app listing, leading to the download of the malware disguised as an update. In other instances, the dropper impersonates a file manager app, as this category has the REQUEST_INSTALL_PACKAGES permission.
Three other droppers that provided the claimed functionalities as well as a stealth feature that asked users to install an update after opening the apps and gave them permission to install apps from unidentified sources—which resulted in the distribution of Vultur—were also discovered.