Attackers are honing Google Play dropper campaigns, overcoming app store restrictions.
Overcoming Google Play app restrictions, attackers have successfully racked up more than 300,000 banking trojan installations over just the past four months in the official Android app marketplace.
Researchers from Threat Fabric reported that these threat groups have honed their ability to use Google Play to propagate banking trojans by shrinking the footprint of their dropper apps, eliminating the number of permissions they ask for, boosting the overall quality of the attack with better code and standing up convincing companion websites.
Droppers are apps that act as first-stage implants, whose job it is to fetch and install other, final payloads — in this case, banking trojans. The report offered the example of cyberattackers’ ingenuity in sneaking these onto Google Play: A dropper app disguised as a fitness service with an actual functioning back-end site to match.
“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world,” the Threat Fabric researchers added. “This makes automated detection