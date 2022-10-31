Once again, cybercriminals have managed to take advantage of security holes in the Google Play Store to distribute malware. This time, security researchers discovered a campaign with a type of threat known as a dropper, which led users to install banking trojans.







Photo: Pexels/cottonbro / Canaltech

Droppers are a kind of app that seems harmless, which is why they easily pass through Google Play’s detection systems. By themselves, they do not pose a threat and even fulfill the promised functions, but they open a channel for the installation of other types of malicious programs that can cause problems.

The first campaign discovered by Threat Fabric researchers began in October. The detected apps, called “Codice Fiscale 2022”, used to calculate taxes in Italy, and “File Manager Small, Lite”, a file manager, seemed harmless and did what was expected of them. However, they were used to download SharkBot malware and had thousands of downloads

Some time after installing the apps, the user would receive an alert to install a fake update, which would be used to install SharkBot on the phone. The victim is directed to a page that looks like Google Play, where they can do the threat download.

In the case of “Codice Fiscale 2022”, the installed malware version aims to steal Italian users’ bank details by intercepting SMS authentication codes and login information via fake screens. The file manager is broader, targeting users from Germany, Austria, Australia, Spain, the United States, Poland and the United Kingdom.

The threats don’t stop

The researchers discovered yet another campaign with droppers to distribute another banking trojan, called Vultur. The threat is operated by a cybercriminal group identified as Project Brunhilda.

The malware has the ability to remotely broadcast the victim’s cell phone screen, in addition to storing data typed by users in messaging applications and social networks. The researchers were particularly impressed by the fact that the monitoring system was unprecedented, possibly to circumvent Android’s native protections.

There were three apps participating in the campaign:

Recover Audio, Images & Videos: 100,000 downloads

100,000 downloads Zetter Authentication: 10,000 downloads

10,000 downloads My Finances Tracker: 1,000 downloads

As with the SharkBot campaign, the apps presented an installation screen of a fake update, but disguised as a Google Play warning.

Source: Bleeping Computer

