U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

17 Android Apps on Google Play Store, dubbed DawDropper, were serving banking malware

The researchers discovered over a dozen Android Apps on Google Play Store, collectively dubbed DawDropper, that were dropping Banking malware. Trend Micro researchers uncovered a malicious campaign that leveraged 17 seemingly harmless Android dropper apps, collectively tracked as DawDropper, on the Google Play Store to distribute banking malware. The DawDropper apps are masqueraded as productivity and utility apps such […]

DawDropper Google Play

The researchers discovered over a dozen Android Apps on Google Play Store, collectively dubbed DawDropper, that were dropping Banking malware.

Trend Micro researchers uncovered a malicious campaign that leveraged 17 seemingly harmless Android dropper apps, collectively tracked as DawDropper, on the Google Play Store to distribute banking malware.

The DawDropper apps are masqueraded as productivity and utility apps such as document scanners, VPN services, QR code readers, and call recorders. All these apps in question have been removed from the app marketplace.

“In the latter part of 2021, we found a malicious campaign that uses a new dropper variant that we have dubbed as DawDropper. Under the guise of several Android apps such as Just In: Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner, DawDropper uses Firebase Realtime Database, a third-party cloud service, to evade detection and dynamically obtain a payload download address.” reads the report published by Trend Micro. “It also hosts malicious payloads on GitHub. As of reporting, these malicious apps are no longer available on Google Play Store.”

DawDropper Google Play

DawDropper apps were spotted dropping four families of banking trojans, including Octo, Hydra, Ermac, and TeaBot. All the malware use a Firebase Realtime Database, a legitimate cloud-hosted NoSQL database for storing data, as a command-and-control (C&C) server and host malicious payloads on GitHub.

Trend Micro also found another dropper, tracked as Clast82, which was uncovered by CheckPoint Research in March 2021. Both DawDropper and Clast82 use Firebase Realtime Database as a C&C server.

DawDropper Google Play

The researchers pointed out that the banking droppers implements their own distribution and installation technique. The experts have observed the banking droppers that were launched earlier this year have hard-coded payload download addresses. Meanwhile, the banking droppers that have been recently launched are designed to hide the actual payload download address, at times use third-party services as their C&C servers, and use third-party services such as GitHub to host malicious payloads.

Below is the list of malicious DawDropper apps that were found in the Play Store:

  • Call Recorder APK (com.caduta.aisevsk)
  • Rooster VPN (com.vpntool.androidweb)
  • Super Cleaner- hyper & smart (com.j2ca.callrecorder)
  • Document Scanner – PDF Creator (com.codeword.docscann)
  • Universal Saver Pro (com.virtualapps.universalsaver)
  • Eagle photo editor (com.techmediapro.photoediting)
  • Call recorder pro+ (com.chestudio.callrecorder)
  • Extra Cleaner (com.casualplay.leadbro)
  • Crypto Utils (com.utilsmycrypto.mainer)
  • FixCleaner (com.cleaner.fixgate)
  • Just In: Video Motion (com.olivia.openpuremind)
  • com.myunique.sequencestore
  • com.flowmysequto.yamer
  • com.qaz.universalsaver
  • Lucky Cleaner (com.luckyg.cleaner)
  • Simpli Cleaner (com.scando.qukscanner)
  • Unicc QR Scanner (com.qrdscannerratedx)

“Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible. In a half-year span, we have seen how banking trojans have evolved their technical routines to avoid being detected, such as hiding malicious payloads in droppers. As more banking trojans are made available via DaaS, malicious actors will have an easier and more cost-effective way of distributing malware disguised as legitimate apps.” concludes the report. “We foresee that this trend will continue and more banking trojans will be distributed on digital distribution services in the future.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]