A malicious campaign exploited seemingly harmless Android apps on the Google Play Store to compromise users’ devices with banking malware.
These 17 dropper apps, collectively dubbed DawDropper by Trend Micro, disguised as productivity and utility apps such as document scanners, QR code readers, VPN services and call recorders, among others. All of these apps in question have been removed from the App Market.
“DawDropper uses Firebase Realtime Database, a third-party cloud service, to evade detection and dynamically obtain a payload download address,” the researchers said. said. “It also hosts malicious payloads on GitHub.”
Droppers are applications designed to bypass Google Play Store security controls, after which they are used to download more powerful and intrusive malware onto a device, in this case, Octo (Coper), Hydra, Ermac and TeaBot.
The attack chains involved the DawDropper malware making connections to a Firebase real-time database to receive the GitHub URL needed to download the malicious APK file.
List of rogue apps previously available on App Store is below –
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner – hyper and smart (com.j2ca.callrecorder)
- Document Scanner – PDF Creator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle Photo Editor (com.techmediapro.photoediting)
- Call recorder pro+ (com.chestudio.callrecorder)
- Extra cleaner (com.casualplay.leadbro)
- Crypto Utilities (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Just now: Video Motion (com.olivia.openpuremind)
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
Among the droppers is an app named “Unicc QR Scanner” which was previously reported by Zscaler earlier this month as distributing the Coper banking Trojan, a variant of the Exobot mobile malware.
Octo is also known to disable Google Play Protect and use Virtual Network Computing (VNC) to record a victim device’s screen, including sensitive information such as banking credentials, email addresses and passwords, and PINs, all of which are then exfiltrated to a remote server.
Banking droppers, for their part, have evolved since the start of the year, from hard-coded payload download addresses to using a middleman to conceal the address hosting the malware.
“Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible,” the researchers said.
“Additionally, as there is a high demand for new ways to distribute mobile malware, several malicious actors claim that their droppers could help other cybercriminals distribute their malware on Google Play Store, resulting in a model of dropper-as-a-service (DaaS). .”