Skip to content

Malware wars: the attack of the droppers

28 October 2022

Another 130.000+ installations of malicious droppers from official store

A year ago, we highlighted a trend of malicious droppers in Google Play store used to distribute banking Trojans. We also predicted further efforts of cybercriminals to reduce the malicious footprint of their malware in order to stay undetected. Distribution through droppers on official stores remains one of the most efficient ways for threat actors to reach a wide and unsuspecting audience. Although other distribution methods are also used depending on cybercriminals targets, resources, and motivation, droppers remain one of the best option on price-efforts-quality ratio, competing with SMiShing.


The history of competition between malware authors and seсurity mechanisms knows several twists when new measures are introduced. Droppers on Google Play went from using AccessibilityService to auto-allow installation from unknown sources to using legitimate sources to control them and store malicious payloads. Following the updates to the “Developer Program Policy” and system updates, actors immediately introduce new ways to sneak to the official store, overcoming limitations or adjusting droppers to follow the guidelines and not arouse suspicion. A brief story of that battle is presented on the graph below.


In this blog we uncover additional tactics cybercriminals use in new Google Play droppers discovered by ThreatFabric analysts. These droppers have cumulative number of 130k+ installations distributing Sharkbot and Vultur banking Trojans.

Sharkbot: the less you see, the more they get

In the beginning of October 2022 ThreatFabric analysts spotted a new campaign of banking Trojan Sharkbot, targeting Italian banking users. This campaign involved Sharkbot version 2.29 – 2.32. Following the research path, our analysts were able to identify the dropper app located on Google Play with 10k+ installations and disguised as an app to calculate tax code in Italy (“Codice Fiscale”) targeting Italian users.


This is not the first time that a Sharkbot dropper sneaks into the official Google store, but this time authors did their best to hide the malicious intents of the dropper. Previous versions of Sharkbot droppers as well as other droppers (including those we highlight below in this blog) include ability to download, install and launch the malicious payload. Obviously, such behaviour is quite suspicious and already made Google to introduce changes to the Developer Program Policy where usage of REQUEST_INSTALL_PACKAGES permission was limited to apps that have it as core functionality.

However, in this new iteration, Sharkbot dropper authors tried their best to not include suspicious permissions at all, thus maintaining an extremely low profile. The new dropper has only 3 permissions that are quite common.


To ensure that the dropper is launched on a real targeted device, the app obtains the SIM coutry and compares it to “it” (Italy): if not matched, no malicious activity will be performed. Besides, additional checks are made on the C2 side to ensure that the dropper is running on the targeted device: if C2 is reached from a non-Italian IP address, the C2 will respond with a default “exit” message. Otherwise, it will receive a configuration data with the URL containing the payload.


Here the interesting part starts: in order to avoid using REQUEST_INSTALL_PACKAGES permission, the dropper opens a fake Google Play store page impersonating Codice Fiscale app page. It contains fake information about the number of installations and reviews, and urges the victim to perform an update. Shortly after the page is opened, the automatic download starts. Thus, the dropper outsources the download and installation procedure to the browser, avoiding suspicious permissions.


Obviously, such approach requires more actions from the victim, as the browser will show several messages about the downloaded file. However, since victims are sure about the origin of the application, they will highly likely install and run the downloaded Sharkbot payload.

During our investigation, we also found another Sharkbot dropper available on Google Play. It had zero installations at the time of discovery and was quickly removed from the website. The interesting detail about this dropper was that it had the REQUEST_INSTALL_PACKAGES permission in place and operated more in line with usual dropper’s behaviour. Actors were also following the updated policy of Google, as this dropper was masqueraded as file manager, a category that is allowed to have this permission due to it being a core functionality.


Similarities in code, C2 communication, and encryption used lead us to the same author behind the older versions of Sharkbot dropper, trying to reduce footprints and stay undetected.


The new “Codice Fiscale” dropper discovered by ThreatFabric is configured to distribute Sharkbot payload to Italian users only, while the other “File Manager” dropper has Italy and UK in its configuration. At the same time, the payload delivered still has banks from Italy, UK, Germany, Spain, Poland, Austria, US, and Australia in its target list. Please, find the full target list in Appendix.

Vultur: Brunhilda is back

Another malware family that has been very active in the last year has been Vultur. First discovered by ThreatFabric in July 2021, Vultur is an Android banking trojan which specializes in stealing PII from infected devices using its screen-streaming capabilities. It is also able to create a remote session on the device using VNC technology to perform actions on the victim’s device, effectively leading to On-Device Fraud (ODF).

Upon discovery, ThreatFabric first reported the strong connection between this malware family, and the “Brunhilda Project” crew. This Threat Actor was known for its central role in the distribution sector of the Android Banking malware landscape thanks to its dropper applications, which managed often to pass Google security checks and be approved on the Google Play Store. Initially, the Brunhilda droppers were deploying a variety of Android malware applications, like for example samples of the malware family Alien. However, after the first discovery of Vultur, every dropper found on the Google Play Store only installed samples belonging to the Vultur malware family.

Recently, ThreatFabric discovered 3 new Droppers on the Google Play store, ranging from 1.000 to 100.000 installations reported by Google. As previous campaigns observed throughout 2022, these droppers pose as applications like security authenticators, or file recovery tools.


The Dropper

The dropper applications are consistent with the droppers that we reported in our first blog about Vultur, and the modus operandi has not changed much with respect to older variants. As usual, the dropper is made of a trojanized application, which provides the advertised functionality, as well as the hidden dropper functionality. As previously reported, the dropper initially sends a registration message to its C2 server. As a response, the server sends back an appToken, which is then used in the following requests to identify the device. At this point, the dropper prompts the victim with a screen asking to download an update for the current application. If the user accepts the displayed request, the dropper proceeds to install Vultur.


In terms of execution of the installation, there are no real updates from previous versions of Brunhilda. However, the dropper currently implements a few obfuscation techniques which were not present in initial versions of the dropper. Firstly, in these new version, the installation logic is not contained in the main DEX file, but in a additional dex file which is loaded dynamically. This additional step can complicate the life of researchers, making it harder to identify the code responsible for malicious activity.

The latest version of Brunhilda also implemented a new layer of obfuscation, which encrypts strings by using AES with a varying key, which is included in the byte array that is given as input to the decryption method, as explained in the picture below:


Once the payload is installed, the Brunhilda dropper launches the malware, and then continues existing on the device, acting as the application it is posing as.


These Brunhilda droppers all deploy samples belonging to a novel variant of Vultur Android Banking malware family.

This new variant maintains the Modus Operandi that characterized the original samples from 2021: once installed, the malware initiates a connection with its C2, and after registering it obtains its configuration containing its targets. Vultur features two separate target lists: one for screen-streaming targets and one for keylogging targets. Similarly to its older variant, the keylogging targets are social and messaging applications, while the screen-streaming targets are applications for online banking and cryptocurrency exchange. However, in this new variant, this second set of targets is also the list of applications for which extensive accessibility logging is performed.

capabilities (1)

By accessibility logging we mean the extensive logging of all UI elements and all the events associated with them (like for example clicks, gestures, etc). This is not a novel technique, but it is the first time we see it implemented in Vultur. This might be a solution to the issue created by a security flag often used in these banking applications: Android offers a way to tag the content of the window as secure, by using the “FLAG_SECURE”, which prevents it “from appearing in screenshots or from being viewed on non-secure displays”. ThreatFabric tested this and is able to confirm that windows with this flag enabled only show a black screen during screen-streaming. However, if the keyboard is opened during interaction with the secured app, it will be visible on the recording as well as all the keys pressed by victim leading to potential theft of input data. In this case, it is possible to obtain enough information to steal credentials even with a black screen, when all the UI events are logged and sent to the C2.


In our previous blog we documented through our research why we believe that Vultur, the malware downladed by these droppers, is a malware family that is not only distributed, but also created by the criminals behind the Brunhilda Project. In addition to the reasons discussed in our previous blog, which focus on the networking protocol used, new variants of Vultur also adopted the very same string obfuscation algorithm discussed in the previous section about the Brunhilda Dropper, further confirming our beliefs about the connection between these two malware families.


These new Brunhilda-Vultur campaigns have been very active and successful in the last few months, reaching more than 100.000 potential fraud victims. Based on our research and investigation, in addition to cryptowallets which have always been in the target list, the largest campaign we observed focused on UK and Netherlands, while the two smaller and more recent ones switched to Germany, France, and Italy. Full target list of Vultur is provided in Appendix.


Another trend predicted by ThreatFabric’s experts comes true and looks like it is here to stay. Malicious dropper applications still find their way to sneak in the official store despite the changes made to the policy and security mechanisms. Distibution through droppers on Google Play still remains the most “affordable” and scalable way of reaching victims for most of the actors of different level. While sophisticated tactics like telephone-oriented attack delivery require more resources and are hard to scale, droppers on official and third-party stores allow threat actors to reach wide unsuspecting audience with reasonable efforts. Such way of distribution of Android banking Trojans is very dangerous as victims may stay unsuspecting for a long time and may not alert their bank about suspicious transactions made without them knowlege. Thus it is very important to take actions on the organisation side to detect such malicous apps and their payloads as well as suspicious behaviour happenning on customer’s device.

We at ThreatFabric always report malicous droppers we indentified to remove it from official stores and limit its further distribution. Financial organisations are welcome to contact us: if you suspect some app be involved in malicious activity, feel free to reach our Mobile Threat Intelligence team which will provide additional details and help with reporting the malicous app if identified:

Fraud Risk Suite

ThreatFabric’s Fraud Risk Suite enables safe & frictionless online customer journeys by integrating industry-leading mobile threat intel, behavioural analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators. This will give you and your customers peace of mind in an age of ever-changing fraud.


Sharkbot Droppers

App name Package name SHA-256
Codice Fiscale 2022 5649fb11661e059a6fa276127be2ea688471fec7cd3b1f4b2745a7d2b048cc26
File Manager Small, Lite com.paskevicss752.usurf 84cad5780bb72075a9904040811e82fae39243d0a28c51f6095bc8b841c55356

Sharkbot Samples

App name Package name SHA-256
_Codice Fiscale com.hzpwksdljgeibc.gmzjwdule 0cbd727b7fa8d9938746475e91fb22a46b75cdcca2778db78073e3c3da70ad31
_Codice Fiscale com.gxulzkj.atuqczml 008338b39c0abf3aa75e92e845c34ac60e049a480eb1e0ab8d3147085a7bb745

Brunhilda Droppers

App name Package name SHA-256
My Finances Tracker 0626e98f9988c63684e575d7a0df839240f7963aed38f82010e63b1b85a9ef61
RecoverFiles com.umac.recoverallfilepro e94a6f7dcdddd4b8c18110993f118f86d3cbfe1faf330f9968aaa7095dd189a4
Zetter Authenticator com.zetter.fastchecking 54139e2e008ed2ebcb4fc71d8aa2470727a724c8607464d9c3688e9506952529

Vultur Samples

App name Package name SHA-256
RecoverFiles com.accessible.recoverypro cae3a48013fcea931f6b84e196f625e27017a1cdc97c1d86c8077db431abd508
Zetter Authenticator com.zforce.setupex 8584d43067535dc97d12c4565e1636e3a1963421fe811ff6e58b4dbd7e5b947d

Sharkbot Targets

Package name App name NAB Mobile Banking George Österreich Bank of Scotland Mobile Banking: secure on the go N26 — The Mobile Bank Luno: Buy Bitcoin, Ethereum and Cryptocurrency Fineco PayPal Mobile Cash: Send and Request Money Fast CaixaBank
com.targo_prod.bad TARGOBANK Mobile Banking Halifax: the banking app that gives you extra
pl.pkobp.iko IKO St.George Mobile Banking BNL
com.vipera.chebanca CheBanca! Santander Mobile Banking Wells Fargo Mobile* Sparkasse Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum CommBank Unicaja Banco MBNA - Card Services App
de.postbank.finanzassistent Postbank Finanzassistent Barclays Capital One® Mobile Advanzia TSB Mobile Banking
com.latuabancaperandroid Intesa Sanpaolo Mobile Citi Mobile® Virgin Money Mobile Banking Lloyds Bank Mobile Banking: by your side
posteitaliane.posteapp.appbpol BancoPosta
com.lynxspa.bancopopolare YouApp
de.commerzbanking.mobil Commerzbank Banking - The app at your side HSBC UK Mobile Banking
com.CredemMobile Credem Starling Bank - Better Mobile Banking Binance - Buy & Sell Bitcoin Securely The Co-operative Bank TransferWise Money Transfer
com.usbank.mobilebanking U.S. Bank - Inspired by customers

Vultur Targets

Package name Application name Wallet Aion Bank Bitcoin Wallet. Buy & Exchange BTC coin-Freewallet
bvm.bvmapp Knab Bankieren
cash.klever.blockchain.wallet Klever Wallet: Buy Bitcoin, Ethereum, Tron, Crypto isi-mobile Cassa di Risparmio Mediobanca Private Banking Luno: Buy Bitcoin, Ethereum and Cryptocurrency
co.clabs.valora Valora - Crypto Wallet Edge - Bitcoin, Ethereum, Monero, Ripple Wallet - Buy Bitcoin Now Nationwide Banking App
com.CredemMobile Credem
com.IngDirectAndroid ING France
com.VBSmartPhoneApp BankUp Mobile ABN AMRO Mobiel Bankieren Amex Italia Amex United Kingdom Crédit Mutuel de Bretagne
com.bankid.bus BankID säkerhetsapp
com.banknorwegian Bank Norwegian Barclays Barclaycard BBVA Italia Banca Online Binance - Buy & Sell Bitcoin Securely
com.bitcoin.mwallet Bitcoin Wallet
com.bitfinex.mobileapp Bitfinex
com.bitpanda.bitpanda Bitpanda - Buy Bitcoin in minutes Bittrex Global
com.bituniverse.portfolio BitUniverse:Crypto Trading Bot Boursorama Banque
com.breadwallet BRD Bitcoin Wallet. Buy BTC Bitcoin Cash, Ethereum bunq - bank of The Free Bybit: Crypto Trading Exchange Banque
com.cic_prod.bad CIC
com.cm_prod.bad Crédit Mutuel Coinbase – Buy & Sell Bitcoin. Crypto Wallet Coinbase Pro – Bitcoin & Crypto Trading
com.coinbase.wallite Coinbase Wallet Lite
com.coinomi.wallet Coinomi Wallet :: Bitcoin Ethereum Altcoins Tokens CoinSpot - Buy & Sell Bitcoin
com.comeco.teo TEO - Das neue Multibanking The Co-operative Bank
com.crypterium Crypterium Bitcoin Wallet
com.crypto.multiwallet Guarda Crypto Bitcoin Wallet Cryptonator cryptocurrency wallet
com.db.pbc.miabanca La Mia Banca
com.db.pwcc.dbmobile Deutsche Bank Mobile
com.defi.wallet l DeFi Wallet DigiFinex - Buy & Sell Bitcoin, Crypto Trading Enjin: Bitcoin, Ethereum, Blockchain Crypto Wallet
com.etoro.openbook eToro - Smart Crypto Trading Made Easy
com.etoro.wallet eToro Money
com.fideuram.alfabetobanking Alfabeto Banking
com.fidor.fsw Fidor Smart Banking Fineco
com.firstdirect.bankingonthego first direct Gemini: Buy Bitcoin Instantly Penta – Business Banking App Bank of Scotland Mobile Banking: secure on the go Lloyds Bank Mobile Banking: by your side Halifax: the banking app that gives you extra
com.hanseaticbank.banking Hanseatic Bank Mobile
com.hittechsexpertlimited.hitbtc HitBTC – Bitcoin Trading and Crypto Exchange Capital One UK ING Bankieren
com.kontist Kontist Tax Service Kraken - Buy Bitcoin & Crypto Pro: Advanced Bitcoin & Crypto Trading
com.krakenfutures Kraken Futures: Bitcoin & Crypto Futures Trading
com.kubi.kucoin KuCoin: Bitcoin Exchange & Crypto Wallet
com.latuabancaperandroid Intesa Sanpaolo Mobile Intesa Sanpaolo Business
com.liberty.jaxx Jaxx Liberty: Blockchain Wallet Lumi Crypto and Bitcoin Wallet
com.lynxspa.bancopopolare YouApp Mediolanum Mercuryo Bitcoin Cryptowallet
com.mycelium.wallet Mycelium Bitcoin Wallet
com.ocito.cdn.activity.banquesmc SMC pour Mobile
com.ocito.cdn.activity.creditdunord Crédit du Nord pour Mobile OKEx - Bitcoin/Crypto Trading Platform Webank Orange Bank
com.paxful.wallet Paxful Bitcoin Wallet Money Transfer App Paysend Phemex: Buy Crypto & Bitcoin
com.pionex.client Pionex - Crypto Trading Bot
com.plunien.poloniex Poloniex Crypto Exchange
com.plutus.wallet Abra: Bitcoin, XRP, LTC NatWest Mobile Banking Royal Bank of Scotland Mobile Banking Ulster Bank NI Mobile Banking
com.revolut.revolut Revolut - Get more from your money Robinhood - Investment & Trading, Commission-free
com.satispay.customer Satispay
com.scrignosa SCRIGNOIdentiTel
com.sella.BancaSella Banca Sella
com.sisal.sisalpay Mooney App: pagamenti digitali Cash App BW-Mobilbanking mit Smartphone und Tablet Sparkasse Ihre mobile Filiale Starling Bank - Better Mobile Banking Outbank - 360° Banking StormGain: Bitcoin Wallet & Crypto Exchange App
com.superchain.lbankgoogle LBank - Buy Bitcoin & Crypto TabTrader Buy Bitcoin and Ethereum on exchanges
com.targo_prod.bad TARGOBANK Mobile Banking Tesco Bank Mobile Banking TransferWise Money Transfer
com.triodos.bankingnl Triodos Bankieren NL
com.unicredit Mobile Banking UniCredit
com.uphold.wallet Uphold - Trade, Invest, Send Money For Zero Fees
com.vipera.chebanca CheBanca! Virgin Money Mobile Banking
com.wallet.crypto.trustapp Trust: Crypto & Bitcoin Wallet
com.youhodler.youhodler YouHodler - Crypto and Bitcoin Wallet
com.zengo.wallet ZenGo Crypto & Bitcoin Wallet: Buy, Earn & Trade
de.bbbank.banking.privat BBBank-Banking classic OLB Banking comdirect
de.commerzbanking.mobil Commerzbank Banking - The app at your side VR Banking Classic
de.fiduciagad.banking.vr VR Banking - einfach sicher
de.ingdiba.bankingapp ING Banking to go N26 — The Mobile Bank
de.postbank.bestsign Postbank BestSign
de.postbank.finanzassistent Postbank Finanzassistent PSD Banking
de.psd.banking.privat PSD Banking Classic
de.santander.presentation Santander Banking
de.schildbach.wallet Bitcoin Wallet SpardaSecureApp
de.sparda.banking.privat SpardaBanking+
de.spardab.banking.privat Sparda Berlin Ethereum Wallet. Buy & Exchange ETH — Freewallet
eu.qonto.qonto Qonto • Easy Business Banking
eu.unicreditgroup.hvbapptan HVB Mobile Banking
exodusmovement.exodus Exodus: Crypto Bitcoin Wallet
fr.bnpp.digitalbanking Hello bank! par BNP Paribas
fr.creditagricole.androidapp Ma Banque HSBC France Mes Comptes - LCL
fr.mafrenchbank Ma French Bank
io.atomicwallet Bitcoin Wallet & Ethereum Ripple ZIL DOT
io.bluewallet.bluewallet BlueWallet Bitcoin Wallet CEX.IO Cryptocurrency Exchange
io.metamask MetaMask - Buy, Send and Swap Crypto
io.safepal.wallet SafePal-Crypto wallet BTC NFTs
it.bcc.iccrea.mycartabcc myCartaBCC BNL My Private Banking Smart My Money
it.caitalia.apphub Crédit Agricole Italia
it.carige Carige Mobile
it.cedacri.hb2.bpbari Mi@
it.cedacri.hb3.desio.brianza D-Mobile Banca MPS
it.creval.bancaperta Bancaperta Smart Mobile Banking
it.gruppobper.smartbpercard Smart BPER Card
it.gruppocariparma.nowbanking Nowbanking Hype Nexi Pay ING Italia
it.nogood.container UBI Banca
it.phoenixspa.inbank Inbank
it.popso.SCRIGNOapp SCRIGNOapp
it.relaxbanking RelaxBanking Mobile L’Appli Société Générale L’Appli Pro Société Générale Bitcoin & Crypto Blockchain Wallet: Freewallet Bitstamp – Buy & Sell Bitcoin at Crypto Exchange Mes Comptes BNP Paribas
net.safemoon.androidwallet SafeMoon
nl.asnbank.asnbankieren ASN Mobiel Bankieren
nl.rabomobiel Rabo Bankieren
nl.regiobank.regiobankieren RegioBank - Mobiel Bankieren
nl.snsbank.snsbankieren SNS Mobiel Bankieren Tomorrow: Mobile Banking
org.electrum.electrum Electrum Bitcoin Wallet
org.toshi Coinbase Wallet — Crypto Wallet & DApp Browser Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum
posteitaliane.posteapp.appbpol BancoPosta
se.bankgirot.swish Swish payments HSBC UK Mobile Banking MBNA - Card Services App Metro Bank Santander Mobile Banking TSB Mobile Banking

Demo or trial?