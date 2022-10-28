A new set of malware dropper apps have been discovered on the Google Play Store, with these apps using fake updates to install banking trojans on the devices of unsuspecting users.

As reported by BleepingComputer (opens in new tab), malware droppers have a much easier time than malicious apps getting onto official app stores like the Play Store since they don’t actually contain any malicious code. Instead, they can infect Android smartphones with malware after you install tehm

Malware dropper apps are also harder to spot than malicious apps since they work as advertised once installed, with all of their malicious behavior taking place in the background. In new blog post (opens in new tab) from Threat Fabric, which first discovered these new malware droppers, the firm’s security researchers report seeing an uptick in use by cybercriminals, as malware droppers offer an easier way to infect vulnerable devices.

Delete these apps now

If you have any of the apps listed below installed on your Android smartphone or tablet, you will need to manually delete them immediately. However, it’s also worth taking a look at Threat Fabric’s research, as the firm has also included a list at the end of its blog post with all the banking apps and crypto wallets targeted by the malware these droppers leave on an infected device.

Codice Fiscale 2022 - 10,000 downloads

- 10,000 downloads File Manager Small, Lite - 1,000 downloads

- 1,000 downloads Recover Audio, Images & Videos – 100,000 downloads

– 100,000 downloads Zetter Authentication – 10,000 downloads

– 10,000 downloads My Finances Tracker – 1,000 downloads

SharkBot and Vultur banking trojans

During its recent investigation, Threat Fabric found two malware dropper campaigns that distributed the SharkBot and Vultur malware.

SharkBot is an Android malware which uses overlays of fake login screens to steal your banking and other credentials. However, it can also steal and hide text messages and remotely take control of your Android smartphone.

The malware dropper apps used to distribute SharkBot in this campaign are called “Codice Fiscale 2022” and “File Manager Small, Lite.” Fortunately, the first app has only been downloaded 10,000 times by Italian Android users and the second app only has 1,000 downloads but can steal credentials from banking apps used in the US, UK, Italy, Germany, Spain, Poland, Austria and Australia.

Once one of these apps is installed on a user’s device, the apps prompt them to install a fake update that infects their smartphone with the SharkBot malware. However, these malware droppers also open a fake webpage that is designed to mimic the Play Store in an effort to trick users into clicking “Update.”

The malware dropper campaign used to deliver the Vultur malware is distributed by three apps: “Recover Audio, Images & Videos,” “Zetter Authentication” and “My Finances Tracker.” Vultur is also a banking trojan that uses remote screen streaming and keylogging of social media and messaging apps to steal user credentials. However, the new variant of this malware used in the campaign discovered by Threat Fabric can also record clicks, gestures and all other actions made by a victim on their Android device.

The malware droppers distributing the Vultur malware also use fake updates disguised as Play Store notices to install malware on a victim’s smartphone. Surprisingly, these malware droppers use AES encryption to hide what they’re really doing from automated scanners.

How to protect yourself from malware droppers

Just like with malicious apps, you can avoid malware dropper apps by being extra careful when installing new apps onto your Android smartphone. Before installing any app, you first need to consider whether or not you really need it. From there, you should read the reviews and check the app’s rating on the Play Store but looking at external reviews (preferably video reviews) is a good idea as well since cybercriminals often use fake reviews to make their bad apps seem more appealing.

Thankfully, malware droppers often require you to install an update after putting them on your phone. If an app tries to do this and the update isn’t being delivered by Google through the Play Store, this is a major red flag and you should delete the app in question immediately.

As for staying safe from malware, you'll want to ensure that Google Play Protect is enabled on your Android devices since it automatically scans for malware in the background. For additional protection though, you'll also want to install one of the best Android antivirus apps on your smartphone or tablet.

Google’s engineers work tirelessly to rid the Play Store of malicious apps. However, since they don’t contain any malicious code, malware droppers are more likely to bypass the search giant’s security measures, which is why you always need to watch out when installing any new app on your Android devices.