Today our SfyLabs threat intel team found a suspicious looking Bankbot APK. After further investigation it turned out to be present in the Google Play Store:
Bankbot in Google Play
As it turned out, there was also another APK from this developer. Apparently the guy is also an avid game developer. Initially it looked like a simple (and quite fun according to Wesley) game, but after some deeper investigation we became suspicous...
Game in Google Play
Disecting the game
So on initial startup the game asks for permission to draw over other apps:
Permission request to draw over apps
This permission is most likely needed for the trickery it does after. According to the decompiled code the app should at some point be asking the user to enable the app as Accessibility Service. Because this didn't happen automatically we decided to manually enable it:
Accessibility Service enabled
When the app obtains it's Accessibility Service status it displays a screen saying it is
performing a Google update. This screen is simply a "holding screen" to prevent
the user from interfering with what is happening in the background:
Using it's elevated status the app enables "Unknown sources" through the settings activity and installs another APK file which is first copied from the APK assets to the sdcard. In the current app in the Play Store there is no APK present, which means nothing serious happens. Because we wanted to try this out we put a dummy app in the same location on the sdcard and started the dropper app. This is what happened:
Dropper installs APK from sdcard
We also captured the above flow in a short clip, which can be seen below:
It looks like the developer is still working on improving his dropper app. Any new update to the app (the last one was 2 days ago) can add an embedded APK which will be installed after the app is started. With a simple campaign on social media the app can be spread rapidly, especially since the app appears to be a normal and fun game to the average user. As we have long expected droppers will probably become more common and be rented out as a service.