Malware in evolution: with the droppers the danger around the corner on the Play Store

Malware also evolves, and they do it for evade security systems most recent and updated that Google defends Android, the Play Store and the applications contained therein. The virtual store has always been fertile ground for this type of danger, and despite the efforts conducted by the Mountain View experts, Android 13 has already fallen under attack by malicious actors.

The most used technique in recent times is that of dropper malware – dropper – which exploits that is apparently harmless apps as they themselves do not contain malicious code – and therefore they can pass Google checks without problems – but they undermine the security of smartphones and unsuspecting users postponing the introduction of the malware later, via a (fake) update to be completed through a bogus page of the Play Store with which the connection to accessibility services takes place.

And, as often happens, it is the ones that are targeted banking apps and those belonging to the category finance. Threat Fabric confirms the increasingly frequent exploitation of this type of technique by identifying various apps on the Play Store that use it. SharkBoat for example it is a banking trojan capable of stealing personal data and SMS (the latter species to trace the 2FA codes) and of take control of your smartphone remotely. One of the apps that hides it is Tax Code 2022, downloaded in Italy thousands of times without users realizing its danger. It is used for the calculation of taxes, but in reality its goal is anything but.

Once downloaded and opened, the app requests the download of an update from a fake Play Store, with which the malware is installed inside our smartphone. Easy to fall for it, because the page looks exactly the same as the original one. Even the app File Manager it behaves in the same way and targets banks in Italy, the UK, Germany, Spain, Poland, Austria, Australia and the United States.

There is not only SharkBoat as a dropper: Vulturfor example, it is a banking Trojan through which the bad guys can gain access at the remote screen streaming and to record clicks and gestures, thus stealing user-filled passwords. In this case the app update request (apparently harmless) takes place via a fake Google Play warning: Once the authorization is given, the malware is downloaded. The apps identified are Recover Audio, Images & Videos, Zetter Authentication And My Finances Tracker: droppers are AES encrypted to hide strings.

The “good news” is that for the malware to be installed – and this applies to both SharkBoat and Vultur – a manual user intervention. The bad news, though, is that the fake websites that mimic the Play Store and the alerts are so similar to the originals that it’s easy to fall into the trap. The advice is always to check the URL with extreme care before proceeding and to do not authorize updates from unknown sources.