According to Trend Micro researchers, the DawDropper aims at stealing user data, in particular from banking apps on infected Android devices.
Trend Micro security researchers have identified over a dozen malicious Android dropper apps containing banking malware. These apps are easily available on Google Play Store.
The scam is aimed at stealing users’ banking data to steal money from their banking apps. The stolen data includes PIN codes, banking credentials, passwords, etc. The malware can intercept text and gain complete control of the affected device.
“We found a malicious campaign that uses a new dropper variant that we have dubbed as DawDropper. Under the guise of several Android apps such as Just In: Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner.”
Trend Micro
Research revealed that DawDropper malware used a third-party cloud service Firebase Realtime Database to evade detection and obtain a payload download address. Additionally, it hosts payloads on GitHub.
What are Dropper Apps?
According to researchers at Trend Micro, cybercriminals are now distributing banking trojans through dropper apps more than ever before because this technique helps them evade detection.
Dropper apps carry the malware without raising suspicion at the Google Play Store security mechanism. The apps are named so because of containing a payload comprising malware that these install on the infected handset. Furthermore, mobile malware is highly in demand nowadays as cybercriminals can disseminate their malware on the official Google play store.
Malicious Apps Details
The following are the names of the malicious dropper apps discovered on the Google Play Store:
- Fix Cleaner
- Crypto Utils
- Rooster VPN
- Extra Cleaner
- Lucky Cleaner
- Simpli Cleaner
- Unicc QR Scanner
- Conquer Darkness
- Call Recorder APK
- Eagle photo editor
- Call recorder pro+
- Universal Saver Pro
- Just In: Video Motion
- Super Cleaner- hyper & smart
- Document Scanner – PDF Creator
According to Trend Micro’s blog post, the DawDropper malware’s malicious payload has been linked to the Octo malware family. It is a multi-stage, modular malware. Octo is also called Coper and was previously used for targeting Colombian online banking customers. The malicious apps aren’t available on Google Play Store anymore.
Google To Implement New Policy Changes
As per the Google support page, the company is implementing policy changes to the Play Store. One of the changes will come into effect from September 30th, 2022.
These changes will prevent developers from displaying full-page ads in mobile games downloaded via the Play Store, or else these will have to be closed in 15 seconds unless it is an opt-in ad to unlock rewards. Moreover, the company will ban apps with copied icons, designs, logos, or titles and various VPN apps from August 31.
More Android Malware News
- 300,000 Android users impacted by malware apps on Play Store
- New Android malware poses as “System Update” to steal your data
- 38% of Android VPN Apps on Google Play Store Plagued with Malware
- Experts concerned over emergence of new Android banking trojan S.O.V.A.
- New Android malware on Play Store disables Play Protect to evade detection