These 17 dropper apps, collectively dubbed DawDropper by Pattern Micro, masqueraded as productiveness and utility apps akin to doc scanners, QR code readers, VPN companies, and name recorders, amongst others. All these apps in query have been faraway from the app market.
“DawDropper makes use of Firebase Realtime Database, a third-party cloud service, to evade detection and dynamically acquire a payload obtain handle,” the researchers mentioned. “It additionally hosts malicious payloads on GitHub.”
Droppers are apps designed to sneak previous Google’s Play Retailer safety checks, following which they’re used to obtain stronger and intrusive malware on a tool, on this case, Octo (Coper), Hydra, Ermac, and TeaBot.
Assault chains concerned the DawDropper malware establishing connections with a Firebase Realtime Database to obtain the GitHub URL essential to obtain the malicious APK file.
The checklist of malicious apps beforehand out there from the app retailer is beneath –
- Name Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Tremendous Cleaner- hyper & good (com.j2ca.callrecorder)
- Doc Scanner – PDF Creator (com.codeword.docscann)
- Common Saver Professional (com.virtualapps.universalsaver)
- Eagle picture editor (com.techmediapro.photoediting)
- Name recorder professional+ (com.chestudio.callrecorder)
- Additional Cleaner (com.casualplay.leadbro)
- Crypto Utils (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Simply In: Video Movement (com.olivia.openpuremind)
- Fortunate Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
Included among the many droppers is an app named “Unicc QR Scanner” that was beforehand flagged by Zscaler earlier this month as distributing the Coper banking trojan, a variant of the Exobot cell malware.
Octo can also be identified to disable Google Play Defend and use digital community computing (VNC) to document a sufferer system’s display screen, together with delicate data akin to banking credentials, electronic mail addresses and passwords, and PINs, all of that are subsequently exfiltrated to a distant server.
Banking droppers, for his or her half, have advanced because the begin of the yr, pivoting away from hard-coded payload obtain addresses to utilizing an middleman to hide the handle internet hosting the malware.
“Cybercriminals are continuously discovering methods to evade detection and infect as many gadgets as doable,” the researchers mentioned.
“Moreover, as a result of there’s a excessive demand for novel methods to distribute cell malware, a number of malicious actors declare that their droppers may assist different cybercriminals disseminate their malware on Google Play Retailer, leading to a dropper-as-a-service (DaaS) mannequin.”