Android users are often advised to get mobile apps from Google Play, the company’s official app marketplace, to minimize the possibility of downloading malware. After all, Google analyzes apps before allowing them on the market. Unfortunately, time after time, we read about malware peddlers finding ways around that vetting process.
“Distribution through droppers on official stores remains one of the most efficient ways for threat actors to reach a wide and unsuspecting audience. Although other distribution methods are also used depending on cybercriminals targets, resources, and motivation, droppers remain one of the best option on price-efforts-quality ratio, competing with SMiShing,” Threat Fabric researchers recently pointed out, after sharing their discovery of several apps on Google Play functioning as droppers for the Sharkbot and Vultur banking trojans.
Evasion techniques of malware droppers on Google Play
These trojanized, functional apps – usually file managers, file recovery tools, or security (2FA) authenticators – are crafted to conceal their malicious nature from Google Play Protect, antivirus solutions, researchers, and users: they provide the advertized functionality, request few common permissions that don’t raise suspicion, and don’t contain overtly malicious code.
More recently, Cleafy researchers shared additional information about the evasion techniques of a Vultur trojan dropper that was included in three apps found on Google Play (RecoverFiles, My Finances Tracker, and Zetter Authenticator).
This dropper, created by the cybercrime crew behind the Brunhilda DaaS (Dropper as a Service), is constantly being improved. The latest version has a small footprint, requests few permission, and uses steganography, file deletion, string obfuscation and anti-emulation techniques to “hide” from emulators, sandboxes, and security solutions.
The Sharkbot dropper, as described by Threat Fabric researchers, asks for an even smaller number of common permissions, and then doesn’t even perform malicious activity if the user is not located in a specific geographic location.
“To avoid using [the potentially suspicious] REQUEST_INSTALL_PACKAGES permission, the dropper opens a fake Google Play store page impersonating [the trojanized app’s] page. It contains fake information about the number of installations and reviews, and urges the victim to perform an update. Shortly after the page is opened, the automatic download starts. Thus, the dropper outsources the download and installation procedure to the browser, avoiding suspicious permissions,” the researchers explained.
“Obviously, such approach requires more actions from the victim, as the browser will show several messages about the downloaded file. However, since victims are sure about the origin of the application, they will highly likely install and run the downloaded Sharkbot payload.”
Similarly, the Brunhilda dropper app displays to the user a persistent update request to download a new application (i.e., the Vultur malware).
“Although in that way, the user has to accept the Android permission to download and install the application from a different source than the official Google Store, this technique allows [threat actors] to not upload the malicious application directly to the official store, making the dropper application undetectable,” Cleafy researchers pointed out.