Security News > 2022 > November > Malicious droppers on Google Play deliver banking malware to victims

Roid users are often advised to get mobile apps from Google Play, the company's official app marketplace, to minimize the possibility of downloading malware.

"Distribution through droppers on official stores remains one of the most efficient ways for threat actors to reach a wide and unsuspecting audience. Although other distribution methods are also used depending on cybercriminals targets, resources, and motivation, droppers remain one of the best option on price-efforts-quality ratio, competing with SMiShing," Threat Fabric researchers recently pointed out, after sharing their discovery of several apps on Google Play functioning as droppers for the Sharkbot and Vultur banking trojans.

Evasion techniques of malware droppers on Google Play.

These trojanized, functional apps - usually file managers, file recovery tools, or security authenticators - are crafted to conceal their malicious nature from Google Play Protect, antivirus solutions, researchers, and users: they provide the advertized functionality, request few common permissions that don't raise suspicion, and don't contain overtly malicious code.

More recently, Cleafy researchers shared additional information about the evasion techniques of a Vultur trojan dropper that was included in three apps found on Google Play.

"To avoid using REQUEST INSTALL PACKAGES permission, the dropper opens a fake Google Play store page impersonating page. It contains fake information about the number of installations and reviews, and urges the victim to perform an update. Shortly after the page is opened, the automatic download starts. Thus, the dropper outsources the download and installation procedure to the browser, avoiding suspicious permissions," the researchers explained.

News URL

https://www.helpnetsecurity.com/2022/11/08/google-play-malware-droppers/