A malicious threat campaign that pushes Android dropper apps on Google Play Store seems to be the transmitter for distributing the DawDropper banking malware on compromised devices. According to researchers, more than a dozen Android applications are disguising themselves as utility and productivity apps.
The researchers call the malware DawDropper, with infected apps ranging from utility tools such as QR code scanners, VPN services, call recorders, and document scanners. Nonetheless, all these questioned apps have been deleted from the app store.
DawDropper bypasses detection via a third-party cloud service.
Analysis revealed that DawDropper utilises a Firebase Realtime Database, a third-party cloud service that allows the threat actors to bypass detection and acquire a payload download address. It also stores malicious payloads on GitHub repositories.
Researchers then noted that the droppers are applications developed by its authors to evade Google’s Play Store security check functionality. This method allows the threat actors to deploy potent malware on compromised devices such as Hydra, TeaBot, Ermac, and Octo.
The actor’s attack sequence includes the DawDropper malware that establishes connections with a Firebase Realtime Database to get the GitHub URL needed to download the malicious APK file.
Some of the compromised apps that researchers were able to identify as hostile are Call Recorder APK, Rooster VPN, Super Cleaner- hyper & smart, Document Scanner – PDF Creator, Universal Saver Pro, Eagle photo editor, Call recorder pro+, Extra Cleaner, Crypto Utils, FixCleaner, Just In: Video Motion, Lucky Cleaner, Simpli Cleaner, and Unicc QR Scanner.
Additionally, a dropper app, Unicc QR Scanner, was initially flagged by a researcher last month since it distributes the Coper banking trojan.
Octo is notorious for disabling Google Play Protect and utilising VNC to record and screenshot a victimised device screen. This malware can compromise essential parts of a device’s network, such as sensitive information, email addresses and passwords, and PINs. The actors then exfiltrate these parts to a remote server.
As of now, droppers for compromising online banking have upgraded themselves. Its authors have distanced themselves from hard-coded payload download addresses and now use an intermediary to hide the address keeping the malware.