{
	"id": "e70ada3a-79a8-40f1-a938-db5fa1286919",
	"created_at": "2026-04-06T01:29:39.147892Z",
	"updated_at": "2026-04-10T03:30:33.587446Z",
	"deleted_at": null,
	"sha1_hash": "9cd783e017a7d1e15695f4f3c43597c5af2ca2fd",
	"title": "The Android Malware’s Journey: From Google Play to banking fraud",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2180989,
	"plain_text": "The Android Malware’s Journey: From Google Play to banking\r\nfraud\r\nBy Francesco Iubatti, Alessandro Strino\r\nArchived: 2026-04-06 00:27:08 UTC\r\nBackground and Key points\r\nIn the last two months, we observed, through our telemetries, an increase in the number of Vultur\r\ninfections among our customers.\r\nAt the beginning of October 2022, the Cleafy Threat Intelligence Team discovered and reported to Google\r\na dropper of Vultur, a known Android banking trojan, on the official Play Store with 100.000+\r\ndownloads. Recently, other researchers publicly disclosed the same malicious dropper application.\r\nThis dropper hides behind a fake utility application. Since its relatively small amount of permissions and\r\nsmall footprint, it appeared as a legitimate app and was able to elude the antivirus solutions and the\r\nGoogle Play analysis.\r\nAfter the installation phase, the dropper uses advanced evasion techniques, such as steganography, file\r\ndeletion, and code obfuscation, in addition with multiple checks before the malware download.\r\nOnce the banking trojan (Vultur) has been downloaded and installed through a fake update, Threat Actors\r\n(TAs) can observe everything that happens on the infected devices and carry out bank fraud through ATO\r\n(Account Takeover) attacks.\r\nFigure 1 - Malicious dropper on Google Play Store\r\nhttps://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud\r\nPage 1 of 6\n\nAnalysis of the malicious dropper\r\nDuring the last years, the number of Android banking trojans has increased, and new techniques to perform\r\nbanking fraud have been developed. Although most of the banking trojans are distributed via *ishing campaigns,\r\nTAs also use official app stores to deliver their malware using dropper applications, namely an application\r\ndesigned to download malware into the target device.\r\nOne of the main reasons behind this choice is the possibility of reaching a more significant number of potential\r\nvictims and, thus, a greater likelihood of completing  fraud. Furthermore, since these droppers hide behind utility\r\napps and come from a trusted source, they can mislead even “experienced” users.\r\nThe application, discovered in October by the Cleafy TIR team on the Google Play Store, appears like a legitimate\r\nrecovery tool with a relatively small amount of permissions and a small footprint.\r\nFigure 2 - Snippet of AndroidManifest file\r\nThe combination of these elements, plus the use of multiple evasion techniques, makes the application very\r\ndifficult to detect with automatic sandboxes or machine learning methodology. It goes, then, undetected by\r\nantivirus solutions and Google Protects.\r\nThis explains why, even though an overview of this dropper was already described in the last article of Threat\r\nFabric, we decided to publish this report and analyze in detail how this application ended up in the Play Store and\r\nattempted to commit bank fraud.\r\nThe application found on the Play Store belongs to the Brunhilda dropper service since it shares multiple\r\nbehaviors with the same past related samples, such as:\r\nThe request of Android 8.0 or above versions;\r\nSome code similarities;\r\nThe information sent to the C2 server and his configuration.\r\nhttps://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud\r\nPage 2 of 6\n\nFigure 3 - Antivirus detection of the Vultur’s dropper application\r\nThe application code has changed compared to previous variants and a piece of interesting evidence is the use of\r\nmultiple evasion techniques, used to stay undetectable and slow down the analysis. Some techniques are listed\r\nbelow:\r\nSteganography (a technique used to hide secret data within an ordinary file to avoid detection): as shown\r\nin Figure 4, inside the application asset directory, there is a PNG file that hides an encrypted payload that,\r\nonce decrypted, becomes a zip file that contains a dex file. The following dex file contains the code used to\r\ncommunicate with the C2 server and download the “real” malware on the user devices (currently, the\r\nAndroid banking trojan called Vultur).\r\nFigure 4 - Extraction of encrypted payload from PNG image\r\nFile Deletion: After the payload is decrypted and uncompressed, both the zip and dex files are removed\r\nfrom their directories, as shown in Figure 5.\r\nCode obfuscation and Anti-emulation: All the code is obfuscated, and the strings are encrypted with the\r\nAES algorithm. Moreover, the dropper performs multiple checks to control if it is running on an\r\nemulator/sandbox device or a legitimate one to stop the attack or proceed.\r\nFigure 5 - Deletion of zip and dex files from memory\r\nhttps://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud\r\nPage 3 of 6\n\nOnce the victim downloads and installs the application from the Google Play Store to complete the attack chain,\r\nthe dropper displays to the user a persistent update request to download a new application (Figure 6) that\r\nrepresents the actual malware, namely the Android banking trojan belonging to the Vultur family.\r\nAlthough in that way, the user has to accept the Android permission to download and install the application from a\r\ndifferent source than the official Google Store, this technique allows TAs to not upload the malicious application\r\ndirectly to the official store, making the dropper application undetectable.\r\nFigure 6 - Fake update requested to download the banking trojan\r\nFigure 7 - Configuration file of the malicious dropper\r\nOverview of Vultur\r\nhttps://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud\r\nPage 4 of 6\n\nWhen the user installs the application requested in the fake update, a new popup appears to the user (Figure 8).\r\nNotably, the malware needs the “notorious” Accessibility Services to control the user’s device.\r\nAt this point, Vultur uses multiple techniques to try to remain unsuspected in the eyes of the user, in particular:\r\nA fake alert is displayed to the user, saying, “This update is incompatible with the current version of the\r\nPlay Store and will be removed,” followed by a toast (a small Android popup) saying that the application\r\nhas been removed;\r\nThe icon of the downloaded application is not displayed on the phone;\r\nWith the accessibilities services, the malware does not allow the infected user to open the settings app to\r\nsee which applications are installed on their device\r\nFurthermore, if an analyst tries to install Vultur directly on a device, to analyze it, the malware does not start, and\r\nit does not communicate with the C2 server. The malware must be installed and launched through the dropper\r\napplication.\r\nFigure 8 - Installation phases of Vultur\r\nUsing keylogging and screen recording capabilities, TAs can obtain all the information they need to carry out their\r\nfraudulent activities. During our investigations, we noticed that the usual modus operandi of Vultur’s TAs is to try\r\nto carry out bank fraud during the night hours.\r\nFigure 9 - Vultur infection during the months on our customers\r\nFinal Considerations\r\nThis research aims to show how TAs are constantly improving their techniques to stay undetected using advanced\r\nevasion techniques such as steganography, file deletion, and code obfuscation. And at the same time, the use of\r\nhttps://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud\r\nPage 5 of 6\n\nofficial app stores to deliver banking trojans to reach a more significant number of potential victims is a new trend\r\nthat is gaining strength.\r\nAccording to our findings, we expect to see new sophisticated banking droppers campaigns on the official stores\r\nin the next months.\r\nAppendix 1:IOCs\r\nIoC Description\r\ncom.umac.recoverallfilepro\r\nPackage name of the dropper on Google Play Store (currently\r\nremoved)\r\n89a5ebab2b9458e0d31dca80c2cd3e02 MD5 of the dropper\r\nfrappucinos[.]shop C2 of the dropper\r\n95c8f5879f6d83d7c98a8d737cf2783e MD5 of Vultur\r\nflipstageparty[.]club C2 of Vultur\r\nSource: https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud\r\nhttps://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud"
	],
	"report_names": [
		"the-android-malwares-journey-from-google-play-to-banking-fraud"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438979,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9cd783e017a7d1e15695f4f3c43597c5af2ca2fd.pdf",
		"text": "https://archive.orkl.eu/9cd783e017a7d1e15695f4f3c43597c5af2ca2fd.txt",
		"img": "https://archive.orkl.eu/9cd783e017a7d1e15695f4f3c43597c5af2ca2fd.jpg"
	}
}