Verticals Targeted: Financial
Executive Summary
ThreatFabric recently reported on multiple Android droppers found on the Google Play Store distributing banking trojans.
Key Takeaways
- Threat actors are using multiple Android droppers disguised as legitimate applications on the Google Play Store.
- The threat actors have modified the droppers to comply with the Play Store’s developer program policy to evade detection.
- The droppers analyzed primarily dropped Sharkbot and Vultur banking trojans.
According to ThreatFabric, threat actors use malicious droppers in the Google Play store due to the small malicious footprint that allows them to stay undetected. Droppers are also popular due to their high return on investment for distributing malware versus other methods such as TOAD, SMiShing, malicious advertisements, and exploits.
Threat actors continually adjust their droppers to comply with changes to the Play Store’s developer program policy to avoid suspicion and evade detection. ThreatFabric analysts estimate the droppers analyzed have been installed over 130,000 times.
Sharkbot
New variants of the Sharkbot dropper were modified by threat actors to attempt to hide the malicious contents of the dropper. The new Sharkbot dropper only requests three permissions: internet access, reading external storage, and writing to external storage. The app obtains the country associated with the SIM and only performs malicious activity if the device SIM is registered in Italy.
If the device is in the targeted demographic, it receives configuration data with a URL containing the payload. To avoid detection, the dropper opens an imposter Google Play Store page in the browser with a download claiming to be the Codice Fiscale app. The page displays fake app information and attempts to trick the victim into performing an update. An automatic download starts in the background.
Another Sharkbot dropper, disguised as a File Manager app, had zero installs at the time of discovery and used the REQUEST_INSTALL_PACKAGES permission, as was the case with previous versions of the dropper. Google developer policies allow file manager applications to use this permission due to it being a core functionality. The File Manager version of the dropper targets Italy and the UK in its configuration, and the payload targets banks in the UK, Italy, Germany, Spain, Poland, Austria, the US, and Australia.
Vultur
Vultur is an Android banking trojan that steals PII from infected devices using a screen streaming feature. It can also create a remote session on the device using VNC, allowing threat actors to perform On Device Fraud (ODF). ThreatFabric researchers discovered a connection between Vultur and the Brunhilda Project crew. The Brunhilda Project crew was known for the distribution of Android banking malware using droppers that were able to fly under Google’s radar. While Brunhilda originally deployed a variety of Android malware, it later began to only distribute Vultur.
Newer Brunhilda droppers are installing a novel variant of Vultur. ThreatFabric researchers found three Vultur droppers with between 1000 to 100,000 installs each. The droppers pose as legitimate applications, including a finance tracker, an authenticator, and a file recovery tool. The droppers are made from a trojanized application that otherwise functions as advertised. The dropper communicates with the C2, and the C2 sends an appToken, which is used to identify the victim's device. The dropper then attempts to trick the victim into downloading an update for the application. If the victim chooses to install the application, the dropper installs Vultur. The Brunhilda/Vultur campaign has primarily targeted crypto wallets and users in the UK, Netherlands, Germany, France, and Italy.
IOCs
PolySwarm has a sample of Sharkbot Dropper.
5649fb11661e059a6fa276127be2ea688471fec7cd3b1f4b2745a7d2b048cc26
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f Sharkbot
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports