Obviously, such behaviour is quite suspicious and already made Google to introduce changes to the Developer Program Policy where usage of REQUEST_INSTALL_PACKAGES permission was limited to apps that have it as core functionality. Previous versions of Sharkbot droppers as well as other droppers (including those we highlight below in this blog) include ability to download, install and launch the malicious payload. This is not the first time that a Sharkbot dropper sneaks into the official Google store, but this time authors did their best to hide the malicious intents of the dropper. ![]() Following the research path, our analysts were able to identify the dropper app located on Google Play with 10k+ installations and disguised as an app to calculate tax code in Italy (“Codice Fiscale”) targeting Italian users. This campaign involved Sharkbot version 2.29 – 2.32. In the beginning of October 2022 ThreatFabric analysts spotted a new campaign of banking Trojan Sharkbot, targeting Italian banking users. Sharkbot: the less you see, the more they get These droppers have cumulative number of 130k+ installations distributing Sharkbot and Vultur banking Trojans. In this blog we uncover additional tactics cybercriminals use in new Google Play droppers discovered by ThreatFabric analysts. A brief story of that battle is presented on the graph below. Following the updates to the “Developer Program Policy” and system updates, actors immediately introduce new ways to sneak to the official store, overcoming limitations or adjusting droppers to follow the guidelines and not arouse suspicion. Droppers on Google Play went from using AccessibilityService to auto-allow installation from unknown sources to using legitimate sources to control them and store malicious payloads. The history of competition between malware authors and seсurity mechanisms knows several twists when new measures are introduced. Although other distribution methods are also used depending on cybercriminals targets, resources, and motivation, droppers remain one of the best option on price-efforts-quality ratio, competing with SMiShing. Distribution through droppers on official stores remains one of the most efficient ways for threat actors to reach a wide and unsuspecting audience. We also predicted further efforts of cybercriminals to reduce the malicious footprint of their malware in order to stay undetected. ![]() Another 130.000+ installations of malicious droppers from official storeĪ year ago, we highlighted a trend of malicious droppers in Google Play store used to distribute banking Trojans.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |