To circumvent Google’s security measures in the Play Store, hackers package malware as nondescript apps. However, banking Trojans are lurking behind them.

    Cyber ​​criminals are increasingly using so-called dropper apps to install malware on smartphones. These apps are available on the Google Play Store and appear to be legitimate. Only when they request an update does the installation of malware begin – including banking Trojans that want to access account data.

    Dutch computer support company Threat Fabric has identified five apps that use a fake update to install banking Trojans on Android smartphones. These are two large-scale campaigns. One of them runs with the well-known Trojan “Vultur”, the others with the newer “Sharkbot”.

    Banking Trojan “Sharkbot” also targets German banks

    A new campaign involving the “Sharkbot” banking Trojan was only identified by Threat Fabric in early October. It primarily affects Italian Android users, but there are also cases in Germany and other countries.

    The Codice Fiscale dropper app, designed to help Italian users calculate their taxes, has been downloaded more than 10,000 times. When you open the app, it checks the country in which the SIM card is registered. Only if it is actually an Italian SIM does “Codice Fiscale” try to install “Sharkbot”. To do this, she opens a fake Play Store page that displays an update – a so-called overlay. Instead of the update, however, the banking Trojan comes to the smartphone.

    A second app with just over 1000 installations is also aimed at users in Germany and other countries. This is the File Manager Small, Lite app. The process of installing “Sharkbot” is identical. The Trojan then tries to get the bank data from apps such as N26, PayPal, Targobank, Sparkasse, Postbank and Commerzbank on the smartphone.

    Even more apps contain “Vultur” Trojans

    Threat Fabric has identified three apps capable of installing the Vultur banking Trojan on Android smartphones. The company first discovered the Trojan in the summer of 2021. Dropper apps that contain the malware are grouped together in the “Brunhilda Project”. Overall, the three apps that have now been uncovered have reached more than 110,000 installations from the Play Store. They come in the form of security authenticators and recovery tools.

    Normally, the dropper apps actually perform the stated function. However, immediately after installation, they communicate with a remote server to register the successful installation. The server sends a command to the app, which then prompts it to install an update. If you click on it, “Vultur” automatically installs itself on the smartphone. The Trojan is a so-called keylogger that can track entries on the smartphone display. For example, if you enter the password for the banking app, the malware can read it.

    Android users should delete these apps immediately

    The malicious apps have since been reported to Google and removed from the App Store. However, they do not automatically disappear from users’ smartphones. As is usual in such cases, you have to remove the affected apps from the end device yourself.

    Here is the list of apps that may contain “Vultur” or “Sharkbot” banking Trojans:

    Sharkbot: Codice Fiscale 2022; File Manager Small, Lite

    vulture: Recover Audio, Images & Videos; Zetter Authentication; My Finance’s Tracker

    How to protect yourself from banking Trojans

    Unfortunately, there is no general protection against Sharkbot’s overlay method or Vultur’s keylogger method. However, TECHBOOK has a few tips on which signs malicious apps can be recognized:

    • When an app asks for your login details even though you’re already signed in
    • Access pop-ups that do not contain an app name
    • Access requests from apps that shouldn’t have access to the requested permissions, such as a calculator app that wants access to GPS
    • Spelling mistakes and graphical errors in the user interface
    • Buttons and links that do not refer to anything
    • The back button or gesture doesn’t work properly

    Sources

    ttn-35