Unlike malicious apps that are full of malware, making it difficult (but not impossible, unfortunately) to get listed on the Google Play Store, malware droppers look and act like your garden apps. However, when these apps notify users that an update is ready, they are actually installing malware running in the background that collects your bank details and other personal information.
Banking Trojans behave like legitimate applications until you click the Update button
In a new blog post, Amsterdam-based computer company Threat Fabric is warning Android users about a new banking Trojan designed to steal your login credentials, account number and other financial information that could help attackers steal your hard-earned money. Similar to the Greek Trojan horse, which was apparently a gift to the city of Troy only to be filled with Greek soldiers inside, Trojan malware ambushes users by posing as a legitimate application.
However, the report mentions that this new banking trojan is called Sharkbot, and one malware dropper is supposed to be an app that helps users calculate taxes in Italy. With over 10,000 installs, “Codice Fiscale” has an innocent-looking listing on the Play Store. When the application is opened on the device, it checks the country where the phone’s SIM card is registered. If it did not match the code for Italy, no malicious behavior would occur.
If the app were opened on a phone with a SIM card registered in Italy, it would open a fake Play Store page with a bogus “Codice Fiscale” listing. This fake listing also revealed that there was an update available for the app which all users would likely tap. And while some browsers may notify the user about the update, the phone owner can be reassured that the app was installed from the Google Play Store and proceed with the update.
What was actually being uploaded to the phone was the aforementioned banking trojan. And if you think you’ve gotten away with having your personal data stolen from your banking app because you don’t live in Italy, think again. Another dropper app, “File Manager Small, Lite”, targets banking apps used in other countries such as the US, UK, Austria and Australia, Italy, Germany, Spain and Poland.
Another banking trojan, this one called Vultur, was distributed by three malware droppers also found in the Play Store: “Restore Audio, Images and Videos”, “Zetter Authentication” and “My Finances Tracker”. The first app listed has more than 100,000 installs. Vultur tracks all the taps and gestures an Android user makes on their phone. Similar to Sharkbot, this trick uses a fake update to load malware onto your phone.
Uninstall these five apps if they were installed on your Android phone
To combat these malware droppers, we usually recommend checking the comments section for red flags. However, attackers have been known to fill the comment section with fake reviews. And after initially installing one of these apps, you may see a fake listing on the Google Play Store with fake reviews in an attempt to trick you into clicking the update button. The victim himself inadvertently causes the malware to be loaded onto his own phone.
ThreatFabric says it’s always reporting malware droppers in an effort to remove them from app stores. But just because an app is removed from the app store doesn’t mean it’s been removed from your phone. So if you have one of these installed on your device, uninstall it immediately:
- Recover audio, images and videos – 100,000 downloads
- Codice Fiscale 2022 – 10,000 downloads
- Zetter Authentication – 10,000 downloads
- File Manager Small, Lite – 1000 downloads
- My Finances Tracker – 1,000 downloads
ThreatFabric adds: “This way of distributing Android banking Trojans is very dangerous, as victims can remain unaware for a long time and may not notify their bank of suspicious transactions made without their knowledge. Therefore, it is very important to take action on the part of the organization.” to detect such malicious applications and their payloads as well as suspicious behavior occurring on the customer’s device.”