Security Report Sounds Alarm On Evolving Android Malware Droppers In Google Play
One established method for achieving this end is the use of malware droppers, which are applications that contain very little malicious code when first installed. Droppers usually masquerade as legitimate apps with useful features and often do offer at least some of the advertised functionality. However, once installed, malware droppers download and install malicious payloads. Since the droppers themselves don’t contain the bulk of the malicious code, but instead download it from external sources, it’s more difficult to detect the droppers as malicious. Earlier this week, we wrote about a family of extensions in the Chrome Web store that employed similar tactics to Android malware droppers, downloading and side-loading a set of malicious scripts from a blank webpage.
The new policy is intended to prevent malware droppers from abusing this permission by restricting access to the permission to exclusively apps like web browsers, file managers, and dedicated app stores. However, malware developers appear to have discovered at least two different ways to work around this restriction. ThreatFabric found the first of these two techniques at play in a Sharkbot malware dropper.
Rather than attempting to install the Sharkbot payloads itself, the malware dropper instead opens a webpage in the user’s default web browser. This webpage is designed to look like the Google Play Store and displays a fake update to the dropper app. Since web browsers can still access the REQUEST_INSTALL_PACKAGES permission under the new Play Store policy, the web browser can download and install the “update” at the direction of unsuspecting users. Users who carry out this update process to completion will have unwittingly infected their devices with the Sharkbot malware.
Android users should always be hesitant to grant apps the ability to install packages. As a general rule of thumb, this setting should be enabled only for trusted, dedicated app stores. Users should also be aware that the real Google Play Store will never request access to this ability, as it is granted by default.