A malicious campaign leveraged seemingly risk free Android dropper apps on the Google Play save to compromise users’ gadgets with banking malware.
These 17 dropper apps, collectively dubbed DawDropper with the aid of fashion Micro, masqueraded as productiveness and utility apps consisting of record scanners, QR code readers, VPN services, and phone recorders, amongst others. these types of apps in question have been eliminated from the app marketplace.
“DawDropper makes use of Firebase Realtime Database, a third-birthday party cloud service, to keep away from detection and dynamically obtain a payload down load cope with,” the researchers said. “It additionally hosts malicious payloads on GitHub.”
Droppers are apps designed to sneak past Google’s Play store safety exams, following which they’re used to down load stronger and intrusive malware on a device, in this example, Octo (Coper), Hydra, Ermac, and TeaBot.
Assault chains worried the DawDropper malware setting up connections with a Firebase Realtime Database to get hold of the GitHub URL necessary to down load the malicious APK document.
The listing of malicious apps formerly to be had from the app save is beneath –
call Recorder APK (com.caduta.aisevsk) rooster VPN (com.vpntool.androidweb) outstanding purifier- hyper & smart (com.j2ca.callrecorder) document Scanner – PDF creator (com.codeword.docscann) general Saver pro (com.virtualapps.universalsaver) Eagle photo editor (com.techmediapro.photoediting) call recorder seasoned+ (com.chestudio.callrecorder) greater purifier (com.casualplay.leadbro) Crypto Utils (com.utilsmycrypto.mainer) FixCleaner (com.cleaner.fixgate) simply In: Video movement (com.olivia.openpuremind) com.myunique.sequencestore com.flowmysequto.yamer com.qaz.universalsaver lucky cleaner (com.luckyg.cleaner) Simpli cleanser (com.scando.qukscanner) Unicc QR Scanner (com.qrdscannerratedx) protected among the droppers is an app named “Unicc QR Scanner” that become formerly flagged by Zscaler this month as dispensing the Coper banking trojan, a version of the Exobot mobile malware. Octo is likewise regarded to disable Google Play defend and use virtual network computing (VNC) to file a sufferer device’s display, along with sensitive facts which include banking credentials, electronic mail addresses and passwords, and PINs, all of which might be eventually exfiltrated to a faraway server.
Banking droppers, for his or her component, have developed for the reason that start of the year, pivoting faraway from hard-coded payload download addresses to the use of an intermediary to hide the cope with website hosting the malware.
“Cybercriminals are continuously locating approaches to evade detection and infect as many devices as feasible,” the researchers stated.
“Moreover, due to the fact there may be a excessive demand for novel approaches to distribute mobile malware, several malicious actors claim that their droppers ought to help different cybercriminals disseminate their malware on Google Play save, resulting in a dropper-as-a-carrier (DaaS) version.”