A malicious effort used Android dropper apps that appeared to be innocuous from the Google Play Store to infect consumers’ smartphones with banking malware.

These 17 dropper apps, collectively referred to as DawDropper by Trend Micro, pretended to be productivity and utility tools including call recorders, document scanners, QR code readers, and other tools. All of these in question apps have been taken off the app store.

The researchers said that DawDropper employs Firebase Realtime Database, a third-party cloud service, to avoid detection and dynamically find a payload download address. GitHub also harbors harmful payloads.

Droppers, which are programmes made to bypass Google’s Play Store security checks, are then used to download more dangerous and invasive malware, in this case, Octo (Coper), Hydra, Ermac, and TeaBot, onto a device.

Attack chains included links between the DawDropper malware with a Firebase Realtime Database to obtain the GitHub URL required to download the malicious APK file.

  •     Call Recorder APK (com.caduta.aisevsk)
  •     Rooster VPN (com.vpntool.androidweb)
  •     Super Cleaner- hyper & smart (com.j2ca.callrecorder)
  •     Document Scanner – PDF Creator (com.codeword.docscann)
  •     Universal Saver Pro (com.virtualapps.universalsaver)
  •     Eagle photo editor (com.techmediapro.photoediting)
  •     Call recorder pro+ (com.chestudio.callrecorder)
  •     Extra Cleaner (com.casualplay.leadbro)
  •     Crypto Utils (com.utilsmycrypto.mainer)
  •     FixCleaner (com.cleaner.fixgate)
  •     Just In: Video Motion (com.olivia.openpuremind)
  •     com.myunique.sequencestore
  •     com.flowmysequto.yamer
  •     com.qaz.universalsaver
  •     Lucky Cleaner (com.luckyg.cleaner)
  •     Simpli Cleaner (com.scando.qukscanner)
  •     Unicc QR Scanner (com.qrdscannerratedx)

One of the droppers is an application called “Unicc QR Scanner,” which Zscaler earlier this month had identified as disseminating the Coper banking trojan, a subtype of the Exobot mobile malware.

In addition, Octo is known to disable Google Play Protect and employ virtual network computing (VNC) to capture sensitive data from a victim’s device, including banking credentials, email addresses or passwords, and PINs, which are then transmitted to a distant server.

Since the beginning of the year, banking droppers have changed, moving away from utilizing hard-coded payload download locations and toward using an intermediate to mask the address hosting the malware.

The researchers noted that “cybercriminals are continually developing methods to elude detection and infect as many devices as possible.”

Additionally, numerous bad actors assert that their droppers might assist other cybercriminals in disseminating their malware on the Google Play Store, leading to a dropper-as-a-service (DaaS) model. This is because there is a huge need for creative ways to transmit mobile malware.