To reduce the risk of downloading malware, Android users are frequently recommended to download mobile apps through Google Play, the company’s official app store. After all, Google examines apps before releasing them.
“One of the most effective ways for threat actors to reach a large and unknowing audience continues to be distribution through droppers on official stores. Droppers continue to be one of the best options on price-efforts-quality ratio, competing with SMiShing, according to Threat Fabric researchers, who recently shared their discovery of several apps on Google Play acting as droppers for the Sharkbot and Vultur banking trojans. Other distribution methods are also used depending on the targets, resources, and motivation of cybercriminals.
Methods used by malware droppers on Google Play to avoid detection
These functional, trojanized apps—typically file managers, file recovery tools, or security (2FA) authenticators—are made to hide their malicious nature from Google Play Protect, antivirus software, researchers, and users. They offer the advertised functionality, ask for a small number of standard permissions that don’t raise red flags, and don’t have any code that is obviously malicious.
More recently, Cleafy researchers revealed more details regarding the evasion strategies used by a Vultur trojan dropper that was present in three Google Play apps (RecoverFiles, My Finances Tracker, and Zetter Authenticator).
This dropper is continuously being enhanced by the cybercrime team behind the Brunhilda DaaS (Dropper as a Service). The most recent version “hides” from emulators, sandboxes, and security tools by having a small file footprint, requesting few permissions, and using steganography, file deletion, string obfuscation, and anti-emulation techniques.
According to researchers at Threat Fabric, the Sharkbot dropper requests even less common permissions and doesn’t even carry out harmful behavior if the user is not in a certain place.
“The dropper opens a phony Google Play store page emulating [the trojanized app’s] website in order to avoid invoking [the possibly suspicious] REQUEST INSTALL PACKAGES permission. It solicits the victim to do an update and provides false information regarding the quantity of installations and reviews. Shortly after the page is opened, the automatic download starts. Thus, the dropper outsources the download and installation procedure to the browser, avoiding suspicious permissions,” the researchers explained.
As the browser would display multiple warnings regarding the downloaded file, it is obvious that such a technique necessitates additional activities from the victim. However, victims are likely to install and run the downloaded Sharkbot payload since they are certain of the application’s origin.
The user sees a constant update request for the Brunhilda dropper program to download a new application (i.e., the Vultur malware).
This technique enables [threat actors] to avoid uploading the malicious application directly to the official store, making the dropper application undetectable, according to researchers at Cleafy. “Although in that way, the user has to accept the Android permission to download and install the application from a different source than the official Google Store, ” they wrote.