A malicious campaign used seemingly harmless Android dropper apps in the Google Play Store to compromise users’ devices with banking malware.
These 17 dropper apps, collectively dubbed DawDropper by Trend Micro disguised as productivity and utility apps such as document scanners, QR code readers, VPN services, and call recorders, among others. All of these apps in question have been removed from the app marketplace.
“DawDropper uses Firebase Realtime Database, a third-party cloud service, to bypass detection and dynamically obtain a payload download address,” the researchers said. “It also hosts malicious payloads on GitHub.”
Droppers are apps designed to sneak past Google Play Store security checks and then use them to download more powerful and intrusive malware onto a device, in this case Octo (Coper), Hydra, Ermac, and TeaBot.
Attack chains included the DawDropper malware that established connections to a Firebase Realtime Database to receive the GitHub URL needed to download the malicious APK file.
The list of malicious apps previously available in the app store is below:
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner – hyper & smart (com.j2ca.callrecorder)
- Document Scanner – PDF Creator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle photo editor (com.techmediapro.photoediting)
- Call recorder pro+ (com.chestudio.callrecorder)
- Extra Cleaner (com.casualplay.leadbro)
- Crypto utilities (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Just In: Video Motion (com.olivia.openpuremind)
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
Among the droppers is an app called “Unicc QR Scanner” that Zscaler flagged earlier this month as distributing the Coper banking trojan, a variant of the Exobot mobile malware.
Squidward is also known to disable Google Play Protect and use Virtual Network Computing (VNC) to record a victim’s screen, including sensitive information such as banking information, email addresses, and passwords and PINs, which are then all sent to a remote server. exfiltrated .
In turn, banking droppers have evolved since the beginning of the year, moving from hard-coded payload download addresses to using an intermediary to hide the address hosting the malware.
“Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible,” the researchers said.
In addition, due to the high demand for new ways to distribute mobile malware, several attackers claim that their droppers could help other cybercriminals distribute their malware on the Google Play Store, resulting in a dropper-as-a-service. (DaaS) model.”