A malicious campaign took advantage of seemingly innocuous Android apps dripping on the Google Play Store to compromise users’ devices with banking malware.
These 17 dropper applications, collectively known as DawDropper by Trend Micro, masquerading as productivity and utility apps like document scanners, QR code readers, VPN services, and call recorders, among others. All these mentioned apps have been removed from the app market.
“DawDropper uses Firebase’s Realtime Database, a third-party cloud service, to avoid detection and automatically obtain the payload download address,” the researchers said. “It also hosts malicious payloads on GitHub.”
Droppers are apps designed to pass Google’s Play Store security checks, then they are used to download intrusive and more powerful malware on the device, in this case Octo ( Coper), Hydra, Ermac and TeaBot.
The attack chains associated with the DawDropper malware establish a connection to the Firebase Realtime Database to obtain the GitHub URL needed to download the malicious APK file.
Here is the list of malicious apps available from the app store –
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner- super & smart (com.j2ca.callrecorder)
- Document Scanner – PDF Generator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle Photo Editor (com.techmediapro.photoediting)
- Call recorder pro+ (com.chestudio.callrecorder)
- Additional cleaner (com.casualplay.leadbro)
- Cryptocurrency Utility (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Only in: Motion Video (com.olivia.openpuremind)
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
Included among the droppers is an app called “Unicc QR Scanner” that was previously flagged by Zscaler this month as distributing the Coper banking trojan, a variant of the Exobot mobile malware.
Octo is also known to disable Google Play Protect and use virtual network computing (VNC) to record the screen of a victim device, including sensitive information such as bank logins, email addresses, and email addresses. passwords as well as PINs, all of which are then transferred to a remote server.
For their part, bankers have grown since the start of the year, redirecting from hardcoded payload download addresses to using an intermediary to mask the malware host address.
“Cybercriminals are constantly looking for ways to avoid detection and infect as many devices as possible,” the researchers said.
In addition, due to the high demand for new ways to distribute malware on mobile devices, some malicious actors claim that their software drops can help other cybercriminals. disseminate their malware on the Google Play Store, leading to a trickle-of-service (DaaS) model.”