A new, and rather successful campaign to deliver Trojans to Android (opens in new tab) users has been uncovered by cybersecurity researchers from Threat Fabric.
The experts warn that ever since Google made updates to its “Developer Program Policy”, threat actors have been looking for new ways to deliver malware through the Play Store and stay under the radar while doing it.
This new campaign includes multiple droppers, with more than 130,000 downloads between them, deploying two known Trojans to the victims’ mobile endpoints: Sharkbot and Vultur. While Sharkbot’s targets are exclusively Italians, Vultur’s operators are casting a somewhat larger net, targeting not just Italians, but also people in the UK, The Netherlands, Germany, and France.
Sharkbot’s modus operandi is simple: the version found on Google’s mobile app repository is not malicious, but as soon as the user turns it on, it displays a fake Play Store page, forcing the victim to “update” the app before using it. “Since victims are sure about the origin of the application, they will highly likely install and run the downloaded Sharkbot payload,” the researchers concluded.
Sharkbot’s goal is to transfer money, from bank accounts belonging to the victims, to the operators, via Automatic Transfer Systems. NCC Group described it as an “advanced technique” rarely used with Android malware, which enables threat actors to auto-fill fields in legitimate mobile banking apps.
Vultur, on the other hand, targets social media and messaging applications, banking apps and cryptocurrency exchange apps.
Between the two, Vultur seems to be the more successful Trojan, as Threat Fabric says it reached more than 100,000 potential fraud victims in the last few months.
“Distribution through droppers on Google Play still remains the most “affordable” and scalable way of reaching victims for most of the actors of different levels,” researchers concluded.
“While sophisticated tactics like telephone-oriented attack delivery require more resources and are hard to scale, droppers on official and third-party stores allow threat actors to reach wide unsuspecting audience with reasonable efforts.”
- Resist viruses and ransomware with the best firewall tools around
Via: Security Affairs (opens in new tab)