Shark hunting  in a school of fish

Android droppers on the PlayStore used to install banking Trojans

A blog by the ThreatFabric research team gives readers an insight in the methods that malware authors use to get their malware installed through the official Play Store. To circumvent new limitations given in the Developers Program Policy malware authors have to rethink their methods to get their malware installed.

In this case the researchers look at recent banking Trojan campaigns like SharkBot and Vultur.

SharkBot

We’ve seen SharkBot as one of the front-runners before when it comes to finding new ways to bypass behavioral detection countermeasures put in place by multiple banks and financial services over the last few years.

SharkBot is a banking Trojan created to harvest credentials and other sensitive financial and personal information from an affected Android device. Droppers for banking Trojans have the ability to download, install and launch the actual payload—the banking Trojan. This and other droppers caused Google to limit the usage of REQUEST_INSTALL_PACKAGES permission to apps that have it as their core functionality.

One SharkBot dropper tried to abuse that exception by posing as a file manager, but it had zero installs and has been removed from the Play Store.

Circumvention

All in all, the malware developers had to find a way around these limitations, since depending on users to install apps from suspicious locations yields a lower number of victims. If you can offer an attractive app in the official Play Store then that improves your numbers significantly.

The new SharkBot dropper only needs three permissions, and these ones are quite common. To trick the user into installing the actual payload, the app opens a fake Google Play store page in the browser. This page contains fake information about the number of installations and reviews, and urges the victim to perform an update.

Vultur

Vultur is an Android banking trojan which specializes in stealing personally identifiable information (PII) from infected devices using its screen-streaming capabilities. Vultur is also capable of creating remote sessions on affected devices to perform actions on the victim’s device.

Vultur’s dropper of choice is Brunhilda. The Brunhilda project used to deliver all kinds of Android malware, but recently has only been seen dropping the Vultur banking Trojan. This, and the fact that both malware strains use the same string obfuscation algorithm, leads to the assumption that the same cybercriminals are behind both projects, or that they are at least closely connected.

Circumvention

Brunhilda droppers have the actual functionality that they advertise in the Play Store, but the main goal is to deliver malware to the device. After fingerprinting the device, the dropper prompts the user to download an update for the application. The installation logic is not contained in the main executable file, but in an additional file which is loaded dynamically to make it harder for researchers to identify the malicious code.

Once the malware has been delivered, the Brunhilda app remains active on the device, performing the functionality it was downloaded for.

Warning signs

The fact that these methods use updates from an untrusted source will stop some users from proceeding. But, despite several warning messages about the downloaded file, a victim is likely to proceed with the install since they “know” what triggered the warnings, and they have already decided to trust the app that says it requires an update.

IOCs

The researchers estimated there have been over 130,000 installations of these malicious droppers from the Play Store and some of them are still available at the time of writing.

Sharkbot droppers detected by Malwarebytes for Android as Android/Trojan.Bank.SharkBot.itxc

  • Codice Fiscale 2022 = com.iatalytaxcode.app
  • File Manager Small, Lite = com.paskevicss752.usurf

Sharkbot samples detected by Malwarebytes for Android as Android/Trojan.Bank.SharkBot.BWR

  • _Codice Fiscale  = com.hzpwksdljgeibc.gmzjwdule
  • _Codice Fiscale  = com.gxulzkj.atuqczml

Brunhilda droppers detected by Malwarebytes for Android as  Android/Trojan.Bank.SharkBot.alfln or Android/Trojan.Bank.SharkBot.umcrc

  • My Finances Tracker = com.all.finance.plus
  • RecoverFiles = com.umac.recoverallfilepro
  • Zetter Authenticator = com.zetter.fastchecking

Vultur samples detected by Malwarebytes for Android as  Android/Trojan.Spy.Vultur.acrp or Android/Trojan.Spy.Vultur.zfsx

  • RecoverFiles = com.accessible.recoverypro
  • Zetter Authenticator = com.zforce.setupex

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.