A malicious campaign used seemingly harmless Android dropper apps in the Google Play Store to compromise users’ devices with banking malware.
These 17 dropper apps, collectively called DawDropper by Trend Micro, disguised as productivity and utility apps like document scanners, QR code readers, VPN services, and call recorders, among others. All of these apps in question have been removed from the app marketplace.
“DawDropper uses Firebase Realtime Database, a third-party cloud service, to bypass detection and dynamically obtain a payload download address,” the researchers said. said. “It also hosts malicious payloads on GitHub.”
Droppers are apps designed to sneak past Google Play Store security checks and then use them to download more powerful and intrusive malware onto a device, in this case Octo (Coper), Hydra, Ermac, and TeaBot.
Attack chains included the DawDropper malware that established connections to a Firebase Realtime Database to receive the GitHub URL needed to download the malicious APK file.
The list of malicious apps previously available in the app store is below:
Call Recorder APK (com.caduta.aisevsk) Roster VPN (com.vpntool.androidweb) Super Cleaner- hyper & smart (com.j2ca.callrecorder) Document Scanner – PDF Creator (com.codeword.docscann) Universal Saver Pro (com. virtualapps.universalsaver) Eagle photo editor (com.techmediapro.photoediting) Call recorder pro+ (com.chestudio.callrecorder) Extra Cleaner (com.casualplay.leadbro) Crypto Utils (com.utilsmycrypto.mainer) FixCleaner (com.cleaner. fixgate) Just In: Video Motion (com.olivia.openpuremind) com.myunique.sequencestore com.flowmysequto.yamer com.qaz.universalsaver Lucky Cleaner (com.luckyg.cleaner) Simpli Cleaner (com.scando.qukscanner) Unicc QR- scanner (com .qrdscannerratedx)
Among the droppers is an app called “Unicc QR Scanner” that Zscaler flagged earlier this month as distributing the Coper banking trojan, a variant of the Exobot mobile malware.
Octo is also known to turn off Google Play Security and use virtual network computing (VNC) to record the screen of a victim device, including sensitive information such as banking details, email addresses, and passwords and PINs, all of which are then exfiltrated to a remote server.
In turn, banking droppers have evolved since the beginning of the year, moving from hard-coded payload download addresses to using an intermediary to hide the address hosting the malware.
“Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible,” the researchers said.
In addition, due to the high demand for new ways to distribute mobile malware, several attackers claim that their droppers could help other cybercriminals distribute their malware on the Google Play Store, resulting in a dropper-as-a-service. (DaaS) model.”