Droppers

2022-11-30

In this modern world there is an app for everything. Easy access to a variety of free apps for our smartphones and tablets, with millions available on the Google Play Store*, gives cybercriminals an opportunity to find new ways of infiltrating our devices and getting hold of sensitive data. Since bad actors have established methods to get past the Google Play Store’s security scans put into place to protect its users, deceptively innocent looking applications containing malware known as droppers have entered the scene. 


*Whilst we refer to the Google Play Store in this article this does not mean that this issue is exclusive to the Play Store, and users of other app stores and mobile operating systems should consider the same risks.


What is a dropper

A dropper, also known as a trojan dropper, is a piece of software that is normally concealed within an app as a compressed file. In order to bypass Google Play Store security protections, cybercriminals conceal their apps’ malicious behaviour by introducing time-based delays meaning that malware will not be activated until a certain amount of time has passed since the download. The delay could be anywhere between a couple of hours to multiple days. Once a dropper is downloaded and run, it assists the delivery and installation of malware which is also known as the dropper’s payload. Droppers themselves do not cause harm to a victim’s device but they do act as a vehicle that infects victim devices by ‘dropping’ harmful files

Recently, there have been incidents of dropper apps available on the Google Play Store distributing the banking trojan Xenomorph that stole users’ credentials from banking applications by providing fake login screens on top of legitimate banking apps. It was also capable of accessing one-time passwords and multi-factor authentication requests by intercepting SMS messages. When possible, Google removes harmful apps and bans their developers from publishing more. It does not, however, altogether prevent droppers from appearing in app stores. 

In October 2022 a dropper app disguised as an Italian tax code (also known as Codice Fiscale) calculator was detected spreading yet another banking trojan called SharkBot. First discovered in 2021, SharkBot uses an advanced attack technique called Automatic Transfer Systems (ATS). It is uncommon to Android malware as it lets bad actors initiate money transfers by auto-filling fields in valid mobile banking applications instead of requiring manual data input like other banking malware does. SharkBot can also simulate button presses and page clicks that gives cybercriminals the power to install other malware onto the infected device. To gain access to its victim’s smartphone or tablet, SharkBot convinced users to update the app by launching a fake Play Store page thus implementing the installation process. 

At this time, there are a number of droppers targeting different demographics distributed via the Play Store. ‘File Manager’ is known to distribute malware to users in European countries such as the UK, Germany, France as well as the US and Australia. Apps like ‘My Finances Tracker’, ‘Zetter Authenticator’ and ‘Recover Audio, Images & Videosdistribute Vultur – a banking trojan that not only steals data but gains access to the victim’s screen consequently allowing bad actors to manually control the infected system. 


Protect your device

Although Google is constantly improving its services to keep its users and their information secure, it is important for users take measures to protect themselves and their devices. 

  • Although there are droppers hidden in the official Google Play Store, users should never install apps from outside the legitimate app store.
  • Updating device’s operating system regularly keeps it up to date with all the latest security patches. 
  • When downloading new content to a device, always read through permission requests. If they seem to be asking too much, it could be safer to not accept it. 
  • Delete apps you no longer use as they may contain your credentials that bad actors can gain access to via droppers. In addition, apps that are no longer regularly updated by developers may be used as entry points by cybercriminals. 
  • Monitor your phone for suspicious activity, i.e., emails, messages or posts on your social media accounts that you did not send, new apps you did not install etc.
  • Check that the name of the publisher of the app seems to make sense; for example, ABC Bank’s app would likely be published by ABC Bank rather than “A. Hacker”.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference list

https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/
https://thehackernews.com/2022/11/these-two-google-play-store-apps.html?_m=3n.009a.2887.io0ao44blc.1usy&m=1&utm_source=pocket_saves
https://www.bleepingcomputer.com/news/security/droppers-is-how-android-malware-keeps-sneaking-into-the-play-store/
https://www.cyberghostvpn.com/en_US/privacyhub/dropper-apps-google-play/
https://www.cyberghostvpn.com/en_US/privacyhub/google-play-malware/
https://www.makeuseof.com/what-is-a-trojan-dropper/
https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html#how-we-help-our-customers
https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html#vultur-brunhilda-is-back

 

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Related news

Cyber threat landscape: who is LockBit gang?
2022-11-03

The cyber threat landscape has undergone many shifts in the past year, from the involvement of ransomware cyber gangs in hacktivist activity during the war between Russia and Ukraine, to the disappearance from the scene of the most prolific ransomware groups. These include DarkSide, the hacker group behind the Colonial Pipeline attack, and REvil, One of the groups that has been active since 2019 and continues to grow regardless of the shifts in the cyber threat landscape is the LockBit gang.

Read more
2023 Cybersecurity Threats and Trends | White Blue Ocean
2023 Cybersecurity Threats and Trends
2023-07-05

is perpetrated. In this article, we will take you through some key points which illustrate the direction that cybercrime is taking. This might help to inform users about the types of attacks we can expect throughout the rest of 2023.

Read more
The best messaging apps for privacy | White Blue Ocean Blog
What are the best messaging apps for privacy?
2023-05-12

Where can you still expect to be able to have a private conversation online? We do have some suggestions which could help you in finding the ideal private messaging platform. First, we'll go over some key factors that you need to consider in your decision and then provide you a selective review.

Read more
The State of Banking Droppers in 2024
The State of Banking Droppers in 2024
2024-05-03

The evolution of banking droppers poses a serious threat to Android users’ financial privacy, as cybercriminals are able to constantly develop new tactics to bypass security measures and steal victims’ banking data. Starting from two notorious malware like Xenomorph and Sharkbot, this article explores the recent developments of this cyber phenomenon, providing essential tips for prevention and remediation.

Read more
How Bad Actors Begin
2023-08-02

There is a clear path of progression for a bad actor to go from unknown and uninvolved, to standing shoulder to shoulder with the internet's most sophisticated criminals. In this article we attempt to answer the question of how bad actors are made.

Read more

Contacts

Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!