Unlike rogue apps that are loaded with malware, making it harder to get listed in the Google Play Store (but not impossible, unfortunately), malware droppers look and act like your backyard apps. But when these apps notify users that an update is ready, what is actually installed is malware running in the background that grabs your banking information and other personal data.

Banking Trojans Act Like Legit Apps Until You Hit the Update Button

in a new blog post, Amsterdam IT support company Threat Fabric warns Android users about a new banking Trojan designed to steal your login details, account number and other financial information that could help attackers to steal your hard earned money. Like the Greek Trojan, which apparently was a gift to the city of Troy to be filled with Greek soldiers inside, the Trojan malware ambushes users by looking like a legitimate application.

Nevertheless, the report mentions that this new banking Trojan is called Sharkbot and a malware dropper claims to be an application to help users calculate their taxes in Italy. With over 10,000 installs, “Codice Fiscale” has an innocent-looking listing in the Play Store. If opened on a device, the application checks the country in which the handset’s SIM card is registered. If it didn’t match Italy’s code, no malicious behavior would take place.

If opened on a phone using a SIM card registered in Italy, the app would open a fake Play Store page with a fake listing for “Codice Fiscale”. This fake listing also revealed that an update was available for the app, something that all users would likely press. And while some browsers may notify the user about the update, the phone owner may feel reassured that the app was installed from the Google Play Store and proceed with the update.
What was actually loaded onto the phone was the aforementioned banking Trojan. And if you think you escaped having your personal information stolen from your banking app because you don’t live in Italy, you need to think again. Another app dropper, “File Manager Small, Lite”, targets banking apps used in other countries such as US, UK, Austria and Australia, Italy, Germany , Spain and Poland.

Another banking Trojan, this one called Vultur, was delivered by three malware droppers also found in the Play Store: “Recover Audio, Images & Videos”, “Zetter Authentication”, and “My Finances Tracker”. The first app listed has over 100,000 installs. Vultur keeps track of all taps and gestures performed by an Android user on their phone. Similar to Sharkbot, this scheme uses a fake updater to load the malware onto a handset.

Uninstall these five apps if they have been installed on your Android phone

To combat these malware droppers, we normally suggest checking the comments section for red flags. However, attackers have been known to load the comments section with fake reviews. And after the initial installation of any of these apps, you might see a fake Google Play Store listing with fake reviews in an attempt to make you hit the update button. The victim himself inadvertently causes the malware to load on his own phone.

ThreatFabric says it always flags malware droppers in an effort to get them removed from app stores. But just because an app is removed from an app store doesn’t mean it’s been removed from your phone. So, if any of these are installed on your device, uninstall it immediately:

  • Recover audio, images and videos – 100,000 downloads
  • Tax Code 2022 – 10,000 downloads
  • Zetter authentication – 10,000 downloads
  • File Manager Small, Lite – 1,000 downloads
  • My Finances Tracker – 1,000 downloads
ThreatFabric adds: “Such a way of distributing Android banking Trojans is very dangerous because victims may remain unsuspecting for a long time and not alert their bank to suspicious transactions carried out without their knowledge. It is therefore very important to take measures from the side of the organization. to detect these malicious applications and their payloads as well as suspicious behavior occurring on the customer’s device. »