A dropper found on Google Play is able to deliver Android malware.
After finding an app on Google Play named “Earn Real Money Gift Cards,” researchers discovered the application hides a variant of the Android banking Trojan BankBot, whose code leaked last year, said researchers at Zscaler and Securify.
The developer of the app hiding BankBot also created another application present on Google Play, a game named “Bubble Shooter Wild Life.” While the game is real, the dark side shows it also has functionality that turns it into a malware downloader.
The dropper appears to be under development, but an analysis of its code, which has been protected by its creator using the Allatori Obfuscator, shows it requests permission to bring in other apps.
“Most recent malware families have started using obfuscators, packers, and protectors to hinder analysis from security researchers and malware detection systems,” said Gaurav Shinde, a researcher at Zscaler, which is one of two security providers that found the dropper.
The dropper then tricks the user into giving it accessibility permissions by displaying a fake Google Service alert. While victims believe they are enabling a “Google Service,” they are actually enabling accessibility features.
Once this step has been completed, a fake Google service update window is displayed and an APK from the device’s memory card is installed in the background. The process that takes place in the background also involves enabling the Android option that allows installation of apps from unknown sources. The user does not need to perform any other actions after accessibility permissions are granted as everything else takes place automatically in the background.
“With a simple campaign on social media the app can be spread rapidly, especially since the app appears to be a normal and fun game to the average user,” said Securify researchers Wesley Gahr and Niels Croese. “As we have long expected, droppers will probably become more common and be rented out as a service.”