Security researchers from Trend Micro discovered over a dozen Android Apps on Google Play Store, collectively dubbed DawDropper, that were dropping Banking malware.
The malicious campaign leveraged 17 seemingly harmless Android dropper apps on the Google Play Store to distribute banking malware.
The DawDropper apps are disguised as productivity and utility apps such as document scanners, VPN services, QR code readers, and call recorders. All these apps in question have been removed from the app marketplace.
The report published by the researchers reads that in the latter part of 2021, they found a malicious campaign that uses a new dropper variant that they have dubbed as DawDropper. Under the guise of several Android apps such as Just In: Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner, DawDropper uses Firebase Realtime Database, a third-party cloud service, to evade detection and dynamically obtain a payload download address. It also hosts malicious payloads on GitHub.
DawDropper apps were found dropping four families of banking trojans, including Octo, Hydra, Ermac, and TeaBot. All the malware uses a Firebase Realtime Database, a legitimate cloud-hosted NoSQL database for storing data, as a command-and-control (C&C) server and host malicious payloads on GitHub.
The researchers also found another dropper, tracked as Clast82, that was uncovered by CheckPoint Research in March 2021. Both DawDropper and Clast82 use Firebase Realtime Database as a C&C server.
The banking droppers implements their own distribution and installation technique. Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible.
As more banking trojans are made available via DaaS, malicious actors will have an easier and more cost-effective way of distributing malware disguised as legitimate apps.