TechnologyThe new techniques of the 'droppers' to evade the controls of the Google Play Store

The new techniques of the ‘droppers’ to evade the controls of the Google Play Store

Google Play Store notification on an Android mobile – UNSPLASH

Malicious programs known as ‘droppers’ or ‘droppers’ They have evolved the technique with which they circumvent the security mechanisms of the official application stores, reducing the permissions they request or introducing new layers of obfuscation, with which they manage to have thousands of downloads.

A dropper is a type of trojan that is downloaded to the victim’s computer to, once on it, install the ‘malware’ with which it will infect it to carry out the malicious activity.

The cybersecurity company ThreatFabric has reviewed in its blog the latest discoveries in ‘droppers’ or ‘droppers’ and the techniques that cybercriminals have deployed with the aim of circumvent the security mechanisms of the official application stores.

One such malicious program is sharkbot. At the beginning of the month, a new malicious campaign directed against Italian users was discovered, which distributed the ‘dropper’ from the Google Play Store in a tax calculation application, which had more than 10,000 installations.

The new version of Sharkbot did not include suspicious permissions that can alert Google’s systems, narrowing them down to three fairly common ones: Internet access, reading from external storage, and writing to it.

Malicious activity was triggered by check that the SIM of the ‘smartphone’ where it had settled corresponded with Italy. Then, he would receive a ‘url’ with the payload that infects him and open a fake page that pretended to be the ‘app’ page on Google Play to urge the victim to update.

Sharkbot was also found in a management application, published in the Play Store, although this time without registered download. In this case, the app did have permission to install packages.

ThreatFabric also mentions the ‘malware’ family vulture, a banking Trojan first discovered in the summer of last year, with the ability to bypass Google Play Store controls.

The cybersecurity company has recently identified three ‘droppers’ in the Google store that installed Vultur, with between a thousand and 100,000 installationsposing as secure login or file recovery applications.

Being a new version of the ‘dropper’, researchers have identified different obfuscation techniques of those found in the first iterations. “The installation logic is not contained in the main DEX file, but in an additional dex file that is dynamically loaded” and “encrypts strings using AES with a variable key.” Added to this is an extensive accessibility log.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Posts

Read More
More