A malicious campaign exploited seemingly harmless Android dropper apps in the Google Play Store to compromise users’ devices with banking software.
These 17 dropper apps, collectively called DawDropper by Trend Micro, masquerading as productivity and utility apps such as document scanners, QR code readers, VPN services and call recorders. All these relevant apps have been removed from the app market.
“DawDropper uses Firebase Realtime Database, a third-party cloud service, to avoid detection and dynamically obtain a payload download address,” the researchers said. “It also hosts malicious payloads on GitHub.”
Droppers are apps designed to bypass Google’s Play Store security checks, after which they are used to download more potent and intrusive malware onto a device, in this case Octo (Coper), Hydra, Ermac and TeaBot.
Attack chains involved DawDropper malware making connections with a Firebase Realtime database to receive the GitHub URL needed to download the malicious APK file.
The list of malicious apps that were previously available from the app store is below –
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner – hyper and smart (com.j2ca.callrecorder)
- Document Scanner – PDF Creator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle Photo Editor (com.techmediapro.photoediting)
- Call recorder pro+ (com.chestudio.callrecorder)
- Extra cleaner (com.casualplay.leadbro)
- Crypto Utils (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Just In: Video Motion (com.olivia.openpuremind)
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
Included among the droppers is an app called “Unicc QR Scanner” that was previously flagged by Zscaler this month for distributing the Coper banking trojan, a variant of the Exobot mobile malware.
Octo is also known to disable Google Play Protect and use virtual network computing (VNC) to record the screen of a victim device, including sensitive information such as banking credentials, email addresses and passwords, and PINs, all of which are then exfiltrated to a remote server.
Bankdroppers, on the other hand, have evolved since the beginning of the year, moving away from hard-coding payload download addresses to using an intermediary to hide the address that hosts the malware.
“Cybercriminals are constantly finding ways to avoid detection and infect as many devices as possible,” the researchers said.
“In addition, because new ways to distribute mobile malware are in high demand, several malicious actors claim that their droppers can help other cybercriminals spread malware on the Google Play Store, resulting in a dropper-as-a- service (DaaS) model.”