Unlike malicious apps that are dripping with malware making it harder to get listed in the Google Play Store (but not impossible, unfortunately), malware droppers look and act like your garden-variety apps. But when these apps notify users that an update is ready, what is really being installed is malware running in the background scooping up your banking information and other personal data….CONTINUE READ.ING HERE
In a new blog post, Amsterdam computer support company Threat Fabric warns Android users about a new banking Trojan designed to steal your login info, account number, and other financial information that might help the attackers steal your hard-earned cash. Like the Greek’s Trojan Horse, which from all appearances was a gift to the city of Troy only to be filled with Greek soldiers inside, Trojan malware ambushes users by looking like a legitimate app.
Fake Play Store listing asks you to update this malware dropper which actually installs a banking Trojan
Nonetheless, the report mentions that this new banking Trojan is called Sharkbot and one malware dropper purported to be an app to help users calculate their taxes in Italy. With over 10,000 installs, “Codice Fiscale” has an innocent-looking listing in the Play Store. If opened on a device, the app checks the country where the handset’s SIM is registered. If it didn’t match the code for Italy, no malicious behavior would take place.
If opened on a phone using a SIM registered in Italy, the app would open a fake Play Store page with a bogus listing for “Codice Fiscale.” This fake listing also revealed that an update was available for the app, something that all users would probably tap on. And while some browsers might warn the user about the update, the owner of the phone could feel comforted by the fact that the app was installed from the Google Play Store and go ahead with the update.
What was really being loaded on the phone was the aforementioned banking Trojan. And if you think that you’ve escaped having your personal info from your banking app stolen because you don’t live in Italy, you need to think again. Another dropper app, “File Manager Small, Lite,” targets banking apps used in other countries such as the U.S., U.K., Austria and Australia, Italy, Germany, Spain, and Poland.
Another banking Trojan, this one called Vultur, has been disseminated by three malware droppers also found in the Play Store: “Recover Audio, Images & Videos,” “Zetter Authentication” and “My Finances Tracker.” The first app listed has over 100,000 installs. Vultur keeps track of all taps and gestures made by an Android user on his/her phone. Similar to Sharkbot, this ploy uses a fake update to load the malware on a handset.
To combat these malware droppers, normally we’d suggest checking the comments section for red flags. However, attackers have been known to load up the comments section with fake reviews. And after the initial installation of one of these apps, you might see a fake Google Play Store listing with phony reviews in an attempt to get you to tap the update button. The victim himself is inadvertently causing the malware to load on his own phone.
ThreatFabric says that it always reports malware droppers in an attempt to have them removed from app stores. But just because an app is removed from an app store doesn’t mean it has been removed from your phone. So if you have one of these installed on your device, uninstall it immediately:
ThreatFabric adds, “Such way of distribution of Android banking Trojans is very dangerous as victims may stay unsuspecting for a long time and may not alert their bank about suspicious transactions made without them knowledge. Thus it is very important to take actions on the organization side to detect such malicious apps and their payloads as well as suspicious behavior happening on customer’s device….CONTINUE READ.ING HERE