For the past year, Android malware authors have been increasingly relying on a solid trick for bypassing Google's security scans and sneaking malicious apps into the official Play Store.
The trick relies on the use of a technique that's quite common in desktop-based malware, but which in the last year is also becoming popular on the Android market.
The technique involves the usage of "droppers," a term denoting a dual or multiple-stage infection process in which the first stage malware is often a simplistic threat with limited capabilities, and its main role is to gain a foothold on a device in order to download more potent threats.
But while on desktop environments droppers aren't particularly efficient, as the widespread use of antivirus software detects them and their second-stage payloads, the technique is quite effective on the mobile scene.
This is because most mobile phones don't use an antivirus, and there's no on-device threat scanner to catch the second-stage payloads.
This means that the only security measures that are in place are the security scans that Google runs before approving an app to be listed on the Play Store.
Malware authors have realized in the past years that Google has a very hard time picking up "droppers" hidden in legitimate apps. For the past years, more and more malware operations have adopted this trick of splitting their code in two —a dropper and the actual malware.
The reason is that droppers require a smaller number of permissions and exhibit limited behavior that could be classified as malicious. Furthermore, adding timers that delay the execution of any malicious code with a few hours also helps the malware remain undetected during Google's scans.
These simple tricks allow tiny pieces of malicious code to slip inside the Play Store hidden in all sorts of apps, of many categories.
Once users run the apps, which in most cases do what they advertise, the malicious code executes, the droppers asks for various permissions, and if it gets them, then it downloads a far more potent malware.
The trick has been used predominantly by malware authors spreading versions of the Exobot, LokiBot, and BankBot mobile banking trojan but has also been adopted in the meantime by many others.
Security researchers from ThreatFabric have blogged about the increased usage, popularity, and efficiency of dropper apps on the Play Store in May 2017, August 2017, September 2017, November 2017, and January 2018, describing attacks with Android banking malware strains such as BankBot (Anubis I), BankBot (Anubis II), Red Alert 2.0/2.1, LokiBot, and Exobot. Symantec and ESET have warned about this in the past as well.
This month, the technique was once more highlighted in an IBM X-Force report describing a recent distribution campaign for the Anubis II malware, one of the most recent BankBot variants.
"The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices," the IBM team said. "While the number of downloaders may seem modest, each of those apps can fetch more than 1,000 samples from the criminal’s command-and-control (C&C) servers."
This recent trend of using similar-looking malware dropper apps (also referred to as malware downloaders) has led IBM experts to believe that some cybercrime gangs are now running a "downloader-as-a-service" (DaaS) operation, in which they are renting "install space" on their dropper apps to other multiple groups at the same time.
This explains why most droppers look the same and sometimes distribute a wide variety of payloads, and not just one malware alone.
In fact, this is exactly what appears to be happening, according to Gaetan van Diemen, a security researcher with ThreatFabric, who shared his knowledge with Bleeping Computer earlier today and confirmed IBM's theory of DaaS services being available for Android malware operators.
"In the Android banking malware ecosystem, it is quite common for threat actors to buy so called 'loader' (dropper) services from other actors," van Diemen says.
"The reason for this MO to become more popular is because it allows a wider distribution of the malware from a 'trusted' source (the Google Play Store) and therefore attains a larger number of victims. This resulted in a new business model where installations in google play are sold to malware actors."
In hindsight, this isn't that surprising because this is exactly what's happening on the desktop market where running a dropper operation for other criminal groups is a much more financially viable business than running an actual banking trojan.
For example, this week Symantec released a report highlighting how the infamous and very dangerous Emotet banking trojan has slowly turned into a dropper and is now renting space and distributing other banking trojans with which it once used to compete.
The growing popularity of malicious Android dropper apps is also one of the reasons Google has launched the Play Protect service, a security feature built into the official Play Store app that continuously scans locally installed apps for malicious behavior in the hopes of finding malicious modifications in local apps it did not pick up during the Play Store approval process.
But van Diemen believes Google is at a disadvantage, at least, for now.
"It is quite difficult to detect dropper apps," the expert told us. "As you can imagine threat actors will put a lot of energy in keeping those apps undetected."
"For example, some dropper apps' malicious code only becomes active when it receives a command from the C&C server (meaning that without a certain delay or certain actions, the behavior of the app will seem benign). In some cases, the malicious banking malware is only dropped based on a certain delay or when the dropper app (for example a game) is intensively used on the device."
Such techniques seem simple enough but are somewhat hard to replicate and detect inside automated testing environments. It is hard to simulate an app's intensive use at the large scale Google needs to check and re-check the millions of apps uploaded on the Play Store. But van Diemen points out that Google could look and factor in additional indicators of malicious activity when performing its scans.
"What is surprising is that there is quite some intelligence and technical information about those droppers (publicly) available that could allow Google to detect these apps with ease," van Diemen told Bleeping Computer. "The Exobot campaign for example still uses a similar dropper app code than the first time it was found, in this case, we can even confirm that it is the same dropper panel still being used. Such information should have been used by Google’s internal malware scanner (Bouncer) or Google Play Protect."
"Interestingly enough, we have also observed that most AV's also failed in detecting the dropper campaigns (sometimes for years), meaning that some awareness needs to be raised on the topic," the expert added.