It contains fake information about the number of installations and reviews, and urges the victim to perform an update. Here the interesting part starts: in order to avoid using REQUEST_INSTALL_PACKAGES permission, the dropper opens a fake Google Play store page impersonating Codice Fiscale app page. Otherwise, it will receive a configuration data with the URL containing the payload. Besides, additional checks are made on the C2 side to ensure that the dropper is running on the targeted device: if C2 is reached from a non-Italian IP address, the C2 will respond with a default “exit” message. To ensure that the dropper is launched on a real targeted device, the app obtains the SIM coutry and compares it to “ it” (Italy): if not matched, no malicious activity will be performed. The new dropper has only 3 permissions that are quite common. However, in this new iteration, Sharkbot dropper authors tried their best to not include suspicious permissions at all, thus maintaining an extremely low profile. Obviously, such behaviour is quite suspicious and already made Google to introduce changes to the Developer Program Policy where usage of REQUEST_INSTALL_PACKAGES permission was limited to apps that have it as core functionality.
Comdirect outbank install#
Previous versions of Sharkbot droppers as well as other droppers (including those we highlight below in this blog) include ability to download, install and launch the malicious payload. This is not the first time that a Sharkbot dropper sneaks into the official Google store, but this time authors did their best to hide the malicious intents of the dropper.
Comdirect outbank code#
Following the research path, our analysts were able to identify the dropper app located on Google Play with 10k+ installations and disguised as an app to calculate tax code in Italy (“Codice Fiscale”) targeting Italian users. This campaign involved Sharkbot version 2.29 – 2.32. In the beginning of October 2022 ThreatFabric analysts spotted a new campaign of banking Trojan Sharkbot, targeting Italian banking users. Sharkbot: the less you see, the more they get These droppers have cumulative number of 130k+ installations distributing Sharkbot and Vultur banking Trojans. In this blog we uncover additional tactics cybercriminals use in new Google Play droppers discovered by ThreatFabric analysts. A brief story of that battle is presented on the graph below. Following the updates to the “Developer Program Policy” and system updates, actors immediately introduce new ways to sneak to the official store, overcoming limitations or adjusting droppers to follow the guidelines and not arouse suspicion. Droppers on Google Play went from using AccessibilityService to auto-allow installation from unknown sources to using legitimate sources to control them and store malicious payloads. The history of competition between malware authors and seсurity mechanisms knows several twists when new measures are introduced. Although other distribution methods are also used depending on cybercriminals targets, resources, and motivation, droppers remain one of the best option on price-efforts-quality ratio, competing with SMiShing. Distribution through droppers on official stores remains one of the most efficient ways for threat actors to reach a wide and unsuspecting audience. We also predicted further efforts of cybercriminals to reduce the malicious footprint of their malware in order to stay undetected. The reason that changed is due to satanic fear mongering propaganda created to make sure We the People are disconnected from, and distrusting of, one and other.Another 130.000+ installations of malicious droppers from official storeĪ year ago, we highlighted a trend of malicious droppers in Google Play store used to distribute banking Trojans.
People have forgotten that EVERYONES’ names, numbers and home addresses used to be listed in phonebooks. (No we’re not worried about giving out our address or contact info. (if you don’t hear from us please use an alternate method listed below) Thanks for contacting us! We should be in touch with you shortly.
0 kommentar(er)
