These 17 dropper apps, named DawDropper by Trend Micro, masqueraded as productivity and utility apps such as document scanners, QR code readers, VPN services, and call recorders, among others. All of the apps in question have been withdrawn from the app store.
“DawDropper leverages a third-party cloud service, Firebase Realtime Database, to avoid detection and dynamically obtain a payload download address,” the researchers explained. “On GitHub, it also hosts dangerous payloads.”
Droppers are apps designed to bypass Google’s Play Store security checks, after which they are used to download more powerful and intrusive malware on a device, in this example, Octo (Coper), Hydra, Ermac, and TeaBot.
The DawDropper malware established connections with a Firebase Realtime Database to obtain the GitHub URL required to download the malicious APK file.
The list of malicious apps previously available from the app store is below –
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner- hyper & smart (com.j2ca.callrecorder)
- Document Scanner – PDF Creator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle photo editor (com.techmediapro.photoediting)
- Call recorder pro+ (com.chestudio.callrecorder)
- Extra Cleaner (com.casualplay.leadbro)
- Crypto Utils (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Just In: Video Motion (com.olivia.openpuremind)
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
Among the droppers is an app called “Unicc QR Scanner,” which Zscaler identified earlier this month as transmitting the Coper banking trojan, a variant of the Exobot mobile malware.
In addition, Octo is known to disable Google Play Protect and use virtual network computing (VNC) to capture sensitive data from a victim’s device, including banking credentials, email addresses and passwords, and PINs, which are then transmitted to a distant server.
Since the beginning of the year, banking droppers have changed, moving away from utilising hard-coded payload download locations and toward using an intermediate to mask the address hosting the malware.
The researchers noted that “cybercriminals are continually developing methods to elude detection and infect as many devices as possible.”
Additionally, numerous bad players assert that their droppers might assist other cybercriminals in disseminating their malware on the Google Play Store, leading to a dropper-as-a-service (DaaS) model. This is because there is a huge need for creative ways to transmit mobile malware.