"Malicious Droppers on Google Play Deliver Banking Malware to Victims"
To reduce the possibility of downloading malware, Android users are often told to download mobile apps from Google Play, the company's official app marketplace. Google examines apps before releasing them to the public. However, malware distributors continue to find ways around the vetting process. Distribution via droppers on official app stores is still one of the most effective ways for threat actors to reach a large and unsuspecting audience. While other distribution methods are used depending on cybercriminals' targets, resources, and motivation, droppers continue to be one of the best options on a price-efforts-quality ratio, competing with SMiShing, according to Threat Fabric researchers, who recently shared their discovery of several apps on Google Play functioning as droppers for the Sharkbot and Vultur banking Trojans. These trojanized, functional apps, which are typically file managers, file recovery tools, or security two-factor authenticators (2FA), are designed to hide their malicious nature from Google Play Protect, antivirus software, researchers, and users. They provide the advertised functionality, ask for a few common permissions that are not suspicious, and do not contain overtly malicious code. Cleafy researchers recently shared additional information about the evasion techniques of a Vultur Trojan dropper found in three Google Play apps: RecoverFiles, My Finances Tracker, and Zetter Authenticator. This dropper is constantly being improved by the cybercrime team behind the Brunhilda Dropper-as-a-Service (DaaS). The most recent version has a small footprint, requires few permissions, and hides from emulators, sandboxes, and security solutions through steganography, file deletion, string obfuscation, and anti-emulation techniques. According to Threat Fabric researchers, the Sharkbot dropper requests an even smaller set of common permissions and then does not perform the malicious activity if the user is not in a specific geographic location. This article continues to discuss the malicious droppers found on Google Play delivering banking malware to victims.
Help Net Security reports "Malicious Droppers on Google Play Deliver Banking Malware to Victims"