A new set of malware dropper Apps have been discovered on the Google Play Store, these apps using fake updaters to install banking Trojans on the devices of unsuspecting users.
As reported by BeepComputer (opens in a new tab)malware droppers have it much easier than malicious apps access official app stores like Play Store as they actually do not contain any malicious code. Instead, they can infect Android smartphones with malware after installation.
Malicious dropper apps are also harder to spot than rogue apps because they work as advertised once installed, with all of their malicious behavior taking place in the background. In nine blog post (opens in a new tab) from Threat Fabric, which first discovered these new malware droppers, the company’s security researchers report an increase in use by cybercriminals, as the malware droppers offer an easier way to infect vulnerable devices.
Delete these apps now
If any of the apps listed below are installed on your Android smartphone or tablet, you will need to manually remove them immediately. However, it’s also worth taking a look at Threat Fabric’s research, as the company has also included a list at the end of its blog post with all the banking apps and crypto wallets targeted by the malware that these droppers leave on an infected device.
- Tax code 2022 – 10,000 downloads
- File Manager Small, Lite – 1,000 downloads
- Recover audio, images and videos – 100,000 downloads
- Zetter Authentication – 10,000 downloads
- Track my finances – 1,000 downloads
SharkBot and Vultur Banking Trojans
During its recent investigation, Threat Fabric discovered two malware distribution campaigns that distributed SharkBot and Vultur malware.
SharkBot is Android malware that uses fake login screen overlays to steal your banking and other credentials. However, it can also steal and hide text messages and take control of your Android smartphone remotely.
The malware dropper apps used to distribute SharkBot in this campaign are called “Codice Fiscale 2022” and “File Manager Small, Lite”. Luckily, the first app has only been downloaded 10,000 times by Italian Android users and the second has only 1,000 downloads but can steal credentials from banking apps used in the US, UK United Kingdom, Italy, Germany, Spain, Poland, Austria and Australia.
Once one of these apps is installed on a user’s device, the apps prompt them to install a fake update that infects their smartphone with SharkBot malware. However, these malware droppers also open a fake webpage designed to imitate the Play Store in an attempt to trick users into clicking “Update”.
The malware-dropping campaign used to spread the Vulture malware is distributed by three applications: “Recover Audio, Images & Videos”, “Zetter Authentication” and “My Finances Tracker”. Vultur is also a banking trojan that uses remote screen streaming and keylogging of social media and messaging apps to steal user credentials. However, the new variant of this malware used in the campaign discovered by Threat Fabric can also record clicks, gestures and all other actions performed by a victim on their Android device.
Malware droppers distributing Vultur malware also use fake updaters disguised as Play Store notices to install malware on a victim’s smartphone. Amazingly, these malware droppers use AES encryption to hide what they are really doing from automated scanners.
How to protect yourself from malware droppers
Just like with rogue apps, you can avoid rogue apps by being very careful when installing new apps on your Android smartphone. Before installing an application, you must first determine whether you really need it or not. From there, you should read reviews and check the app’s rating on the Play Store, but checking external reviews (preferably video reviews) is also a good idea, as cybercriminals often use fake reviews to make their bad apps more appealing.
Luckily, malware droppers often force you to install an update after putting them on your phone. If an app tries to do this and the update is not provided by Google through the Play Store, this is a major red flag and you should remove the app in question immediately.
When it comes to malware protection, you need to make sure that Google PlayProtect is enabled on your Android devices as it automatically scans for malware in the background. For added protection, you’ll also want to install one of the best android antivirus apps on your smartphone or tablet.
Google engineers work tirelessly to rid the Play Store of malicious apps. However, since they contain no malicious code, malware droppers are more likely to bypass the search giant’s security measures, which is why you should always be careful when installing a new app on your Android devices.