A Trojan dropper, or simply a dropper, is a malicious program designed to deliver other malware to a victim's computer or phone.

~Kaspersky IT Encyclopedia

In 2022, WhiteBlueOcean published an article warning of the risks and current capabilities of a malware type known as droppers. These small and inconspicuous programs, which seem especially targeted towards Android users, serve as a kind of backdoor that allows for the discrete installation of much more dangerous malware onto your device. We have observed droppers as being stowed away inside malicious files, email attachments, and in some cases, embedded within otherwise legitimate applications on the Google play store, and even advertised on Google itself.

The aim of this article is to return once more to the topic of droppers and delve into the recent developments in this area, as well as providing you with useful tips and tricks to protect yourself from falling victim to this type of attack.

Xenomorph and Sharkbot

In 2022, we published details of two prevalent banking droppers that had been targeting people worldwide - Xenomorph, or Xenobot, being one of them. The operators of this malware soon adopted a Malware-As-A-Service model, and in 2023, researchers discovered that a new phishing campaign had been launched to distribute the malware, which had been upgraded to support many more financial institutions than before. This support comes in the form of new overlays - a webpage or mobile application that looks exactly like the legitimate one, however relays any information entered into it to an illegitimate third party. The Xenomorph developers added dozens of new overlays for US and Spanish financial institutions, and it was downloaded thousands of times.

Since then, and following a large amount of media buzz, Xenomorph has gone quiet. There is little information on their current activities, however, at some point vx-underground had obtained and published a malware sample of Xenomorph, indicating that their code may at some point have been leaked.

We also investigated the emergence of Sharkbot, which was first discovered in 2021. The dropper for this malware was concealed within phone applications on the Google Play store, such as "Mister Phone Cleaner," and "Kylhavy Mobile Security"; these applications appeared legitimate, and by tricking Android users who had put their trust into the safety of Google Play, allowed for Sharkbot to be downloaded over 60,000 times across multiple countries. Sharkbot also appears to have gone quiet, and malware samples have also been published.

Present Trojan Threats

The Anatsa trojan, also known as TeaBot, was first noticed as a dropper disguised on the Google Play store in 2021, hidden within PDF viewing tools, QR code scanning apps, and other innocuous utility applications. In 2021 it was reported to have been downloaded over 300,000 times. After a brief hiatus, the malware reappeared in March of 2023, this time able to target significantly more banks and exfiltrate funds through on-device bank fraud using the victim's own credentials. Since then, this malware has continued to plague app users across the world, and its current campaign, beginning in November 2023, has seen it downloaded over 100,000 times already.

Like Sharkbot and Xenomorph, this trojan collects the banking information of its victims by keylogging and by launching a phishing overlay over the top of legitimate banking apps when accessed. It is reported that Anatsa has overlays that are compatible with over 600 apps belonging to legitimate financial institutions, and is continuously adding support for financial institutions of new countries such as Slovakia, Slovenia and Czechia most recently. Once the victim's credentials have been harvested, funds are exfiltrated from the victim's accounts from their own device using their own banking applications.

This iteration of Anatsa leverages new security bypasses that allow it to abuse Android's accessibility service without the user's permission. It also employs new techniques for downloading the rest of its payload from the bad actor's Command and Control (C2) server. Similarly, new methods for detection evasion, unearthed and abused by malware developers, have seen a massive uptick in banking trojans overall, with Mamont, Coyote, Vultur and SoumniBot all making headlines in recent months.

Figure 1: In a previous campaign, Anatsa was found embedded in a host of functional applications on the Google Play Store such as "PDF Viewer," and a number of similar apps. These functioned as expected, and appeared legitimate. Originally, these apps carried no malicious content. However, an update was pushed that installed the Anatsa dropper onto thousands of affected devices. (Source: BleepingComputer)

It has become a more common practice to separate the development of malware and development of droppers into two distinct practices. This way, malware developers can focus on what they've always focused on - malicious ways to interact with new versions of Android and to examine and exfiltrate data from their victims, and separately, that all the issues related to getting the malware onto a person's device in the first place can be left with the dropper developers, whose focus is chiefly executing phishing campaigns and bypassing app store & operating system restrictions, all while new defence procedures are constantly being implemented. This separation of the two fields of development has given rise to a new service platform of malware - the Dropper-As-A-Service model.

The first widely observed dropper adopting this model was SecuriDropper, followed by Zombinder - two as-a-platform services that advertised on darkweb forums, and both of which are able to bypass Android 13's Restricted Settings countermeasures, introduced in 2022, that were put in place to prevent Play Store apps from gaining certain privileges on a user's device - notably, via a technique that has been known and unaddressed by Google since Android 13's release (at the time of writing).

Prevention and Remediation steps

Despite new developments in the world of banking droppers, the preventative recommendations that we can make are largely the same:

1. Especially as new exploits exist for sideloaded apps, users should never install apps from external sources.

2. Ensure that you are running the newest software across your operating system and all device applications.

3. Be wary of permission requests made by applications that seem suspicious, for example, requesting accessibility controls.

4. Because developers can push automatic and malicious updates to applications on your device, delete apps that you no longer use.

5. Practice vigilance and continuously monitor your phone, inbox, bank accounts and social accounts for suspicious activity.

Bear in mind that phishing overlays carry with them some discrepancies that may be noticeable if you are perceptive: screen jitters, lag and slowness, connectivity issues, and sometimes a URL that does not match the website. If you recognise any of these signs, then you may be interacting with a phishing overlay.

If you think you have been a victim of a banking dropper

You should immediately

1. Disable any network connectivity on your device to prevent it from interacting with your network.

2. Notify your bank of any fraudulent activity on your account and consider resetting your device, and potentially purchasing a new device altogether in the case that the malware has established persistence.

3. You should then take care to change the login credentials for all of your accounts, and from within these accounts, check for any unauthorised logins if it is possible for you to do so.

4. You may also have the option to log your account out of devices which you don't recognise as one of your own.

Conclusion

Banking droppers are sophisticated pieces of malware which can have devastating results. Over time, dropper developers have segregated themselves from malware developers so they can dedicate more of their development towards the exploitation of operating systems such as Android. Further, the rise of as-a-service platforms, and improvements seen in some infamous malware applications, means that banking droppers pose more of a threat than ever.

WhiteBlueOcean recommends that you stay vigilant and informed of the current threat landscape, and to follow our prevention and remediation advice in order to best protect yourself from this threat.

Sources

https://encyclopedia.kaspersky.com/glossary/trojan-droppers/
https://confluenceprod.crifnet.com/display/WBO/Droppers
https://www.threatfabric.com/blogs/xenomorph
https://www.darkreading.com/endpoint-security/xenomorph-android-malware-targets-customers-of-30-us-banks
https://twitter.com/vxunderground/status/1713398249229287469
https://thehackernews.com/2022/09/fake-antivirus-and-cleaner-apps-caught.html
https://www.threatfabric.com/blogs/google-play-droppers#anatsa_campaign
https://www.infosecurity-magazine.com/news/anatsa-banking-trojan-targets/
https://www.tomsguide.com/news/these-android-apps-can-steal-your-banking-info-by-recording-your-screen-delete-them-now
https://www.bleepingcomputer.com/news/security/anatsa-android-trojan-now-steals-banking-info-from-users-in-us-uk/
https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.