In this modern world there is an app for everything. Easy access to a variety of free apps for our smartphones and tablets, with millions available on the Google Play Store*, gives cybercriminals an opportunity to find new ways of infiltrating our devices and getting hold of sensitive data. Since bad actors have established methods to get past the Google Play Store’s security scans put into place to protect its users, deceptively innocent looking applications containing malware known as droppers have entered the scene. 

*Whilst we refer to the Google Play Store in this article this does not mean that this issue is exclusive to the Play Store, and users of other app stores and mobile operating systems should consider the same risks.

What is a dropper

A dropper, also known as a trojan dropper, is a piece of software that is normally concealed within an app as a compressed file. In order to bypass Google Play Store security protections, cybercriminals conceal their apps’ malicious behaviour by introducing time-based delays meaning that malware will not be activated until a certain amount of time has passed since the download. The delay could be anywhere between a couple of hours to multiple days. Once a dropper is downloaded and run, it assists the delivery and installation of malware which is also known as the dropper’s payload. Droppers themselves do not cause harm to a victim’s device but they do act as a vehicle that infects victim devices by ‘dropping’ harmful files. 

Recently, there have been incidents of dropper apps available on the Google Play Store distributing the banking trojan Xenomorph that stole users’ credentials from banking applications by providing fake login screens on top of legitimate banking apps. It was also capable of accessing one-time passwords and multi-factor authentication requests by intercepting SMS messages. When possible, Google removes harmful apps and bans their developers from publishing more. It does not, however, altogether prevent droppers from appearing in app stores. 

In October 2022 a dropper app disguised as an Italian tax code (also known as Codice Fiscale) calculator was detected spreading yet another banking trojan called SharkBot. First discovered in 2021, SharkBot uses an advanced attack technique called Automatic Transfer Systems (ATS). It is uncommon to Android malware as it lets bad actors initiate money transfers by auto-filling fields in valid mobile banking applications instead of requiring manual data input like other banking malware does. SharkBot can also simulate button presses and page clicks that gives cybercriminals the power to install other malware onto the infected device. To gain access to its victim’s smartphone or tablet, SharkBot convinced users to update the app by launching a fake Play Store page thus implementing the installation process. 

At this time, there are a number of droppers targeting different demographics distributed via the Play Store. ‘File Manager’ is known to distribute malware to users in European countries such as the UK, Germany, France as well as the US and Australia. Apps like ‘My Finances Tracker’, ‘Zetter Authenticator’ and ‘Recover Audio, Images & Videos’ distribute Vultur – a banking trojan that not only steals data but gains access to the victim’s screen consequently allowing bad actors to manually control the infected system. 

Protect your device

Although Google is constantly improving its services to keep its users and their information secure, it is important for users take measures to protect themselves and their devices. 

• Although there are droppers hidden in the official Google Play Store, users should never install apps from outside the legitimate app store.
• Updating device’s operating system regularly keeps it up to date with all the latest security patches. 
• When downloading new content to a device, always read through permission requests. If they seem to be asking too much, it could be safer to not accept it. 
• Delete apps you no longer use as they may contain your credentials that bad actors can gain access to via droppers. In addition, apps that are no longer regularly updated by developers may be used as entry points by cybercriminals. 

• Monitor your phone for suspicious activity, i.e., emails, messages or posts on your social media accounts that you did not send, new apps you did not install etc.
• Check that the name of the publisher of the app seems to make sense; for example, ABC Bank’s app would likely be published by ABC Bank rather than “A. Hacker”.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference list

https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/
https://thehackernews.com/2022/11/these-two-google-play-store-apps.html?_m=3n.009a.2887.io0ao44blc.1usy&m=1&utm_source=pocket_saves
https://www.bleepingcomputer.com/news/security/droppers-is-how-android-malware-keeps-sneaking-into-the-play-store/
https://www.cyberghostvpn.com/en_US/privacyhub/dropper-apps-google-play/
https://www.cyberghostvpn.com/en_US/privacyhub/google-play-malware/
https://www.makeuseof.com/what-is-a-trojan-dropper/
https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html#how-we-help-our-customers
https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html#vultur-brunhilda-is-back

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.