Cybersecurity experts from Threat Fabric have discovered a new, somewhat successful effort to infect Android users with Trojans.
The experts caution that threat actors have been searching for new ways to distribute malware through the Play Store and remain undetected since Google introduced revisions to its “Developer Program Policy.”
With more than 130,000 downloads, this new campaign’s droppers spread two well-known Trojans—Sharkbot and Vultur—to the victims’ mobile endpoints. However, while Vultur’s operators target not just Italians but also people in the United Kingdom, the Netherlands, Germany, and France, Sharkbot’s operators only target people in Italy.
Phony Updates
The working principle of Sharkbot is straightforward: although the version available through Google’s mobile app repository is not harmful, as soon as the user activates it, a false Play Store page appears, requiring the victim to “update” the app before using it. Furthermore, the researchers concluded that victims are more inclined to install and run the downloaded Sharkbot payload because they are confident in the application’s origin.
Sharkbot’s objective is to use automatic transfer systems to transfer funds from the victims’ bank accounts to the operators. It’s an “advanced technique” with Android malware, according to NCC Group, that allows threat actors to pre-fill data in reputable mobile banking apps.
On the other hand, Vultur targets financial apps, bitcoin trading apps, social media and messaging apps.
Given that Threat Fabric reports that Vultur has reached more than 100,000 prospective fraud victims in recent months, it appears to be the more successful of the two Trojans.
Researchers concluded that “distribution through droppers on Google Play remains the most “cheap” and scalable way for most actors of different levels to reach victims.”
Droppers on official and third-party stores let threat actors reach people who need to learn what’s happening with little work. At the same time, complex strategies like telephone-oriented attack delivery cost more resources and are difficult to scale.