The Android banking Trojan Vultur has reached a total of more than 100,000 downloads on the Google Play Store, says a new advisory from cybersecurity experts at Cleafy.
The dropper hides behind a fake utility application. Because of its relatively limited permissions and small footprint, it appears as a legitimate app and can elude Google Play security measures.
“Although most of the banking trojans are distributed via *ishing campaigns, TAs [threat actors] also use official app stores to deliver their malware using dropper applications, namely an application designed to download malware into the target device,” the Cleafy team explained.
According to the advisory, one of the primary reasons behind this choice is reaching more potential victims and securing a greater likelihood of committing fraud.
“Furthermore, since these droppers hide behind utility apps and come from a trusted source, they can mislead even ‘experienced’ users,” Cleafy wrote.
“This explains why, even though an overview of this dropper was already described in the last article of Threat Fabric, we decided to publish this report and analyze in detail how this application ended up in the Play Store and attempted to commit bank fraud.”
From a technical standpoint, after installation, the dropper uses advanced evasion techniques, including steganography, file deletion and code obfuscation, in addition to multiple checks before downloading the malware.
“Once the banking trojan (Vultur) has been downloaded and installed through a fake update, threat actors can observe everything that happens on the infected devices and carry out bank fraud through account takeover attacks,” Cleafy explained.
According to the security experts, the Vultur campaigns show how threat actors constantly improve their techniques to stay undetected using advanced evasion techniques.
“At the same time, the use of official app stores to deliver banking trojans to reach a more significant number of potential victims is a new trend that is gaining strength,” Cleafy added. “We expect to see new sophisticated banking droppers campaigns on the official stores in the next months.”
The advisory includes a list of Indicators of Compromise (IoCs) for Vultur infections. The technical write-up’s publication comes days after Malwarebytes released new data suggesting a group of four apps with over a million downloads is listed on Google Play and infected with the HiddenAds malware.