Skip to content
Research

Bankbot dropper hiding on Google Play

01 August 2017

Abstract

Today our ThreatFabric threat intel team found a suspicious looking Bankbot APK. After further investigation it turned out to be present in the Google Play Store:

bankbot_dropper_hiding_on_google_play_earn_real_money_gift_cards
bankbot_dropper_hiding_on_google_play_earn_real_money_gift_cards_additional_information

Bankbot in Google Play

As it turned out, there was also another APK from this developer. Apparently the guy is also an avid game developer. Initially it looked like a simple (and quite fun according to Wesley) game, but after some deeper investigation we became suspicous…

bankbot_dropper_hiding_on_google_play_bubble_shooter_wild_life
bankbot_dropper_hiding_on_google_play_bubble_shooter_wild_life_additional_information

Game in Google Play

Disecting the game

So on initial startup the game asks for permission to draw over other apps:

bankbot_dropper_hiding_on_google_play_permission_request_to_draw_over_apps

Permission request to draw over apps

This permission is most likely needed for the trickery it does after. According to the decompiled code the app should at some point be asking the user to enable the app as Accessibility Service. Because this didn’t happen automatically we decided to manually enable it:

bankbot_dropper_hiding_on_google_play_accessibility_service_enabled

Accessibility Service enabled

When the app obtains it’s Accessibility Service status it displays a screen saying it is performing a Google update. This screen is simply a “holding screen” to prevent the user from interfering with what is happening in the background: Using it’s elevated status the app enables “Unknown sources” through the settings activity and installs another APK file which is first copied from the APK assets to the sdcard. In the current app in the Play Store there is no APK present, which means nothing serious happens. Because we wanted to try this out we put a dummy app in the same location on the sdcard and started the dropper app. This is what happened:

bankbot_dropper_hiding_on_google_play_dropper_installs_apk_from_sdcard

Dropper installs APK from sdcard

We also captured the above flow in a short clip, which can be seen below:

 

Conclusion

It looks like the developer is still working on improving his dropper app. Any new update to the app (the last one was 2 days ago) can add an embedded APK which will be installed after the app is started. With a simple campaign on social media the app can be spread rapidly, especially since the app appears to be a normal and fun game to the average user. As we have long expected droppers will probably become more common and be rented out as a service.

IOC

Bankbot app

- Google Play: https://play.google.com/store/apps/details?id=com.moneygift.real.app - Koodous: https://koodous.com/apks/b038b5dfceeb5b59d2abcd376814defb2a7022ba5b65cf917bf857439835e2e5

Dropper app

- Google Play: https://play.google.com/store/apps/details?id=com.bubblesooter.wildlife - Koodous: https://koodous.com/apks/b5420cd03ab440e770efb7900a12d831b318db96286df720900dc05955508f86

Questions or demo?

CONTACT US