Seventeen malicious apps that steal passwords have been removed from the Google Play store. This year malicious actors have been observed to secretly add a growing number of banking trojans to the Google Play store through malicious droppers. The malware campaign has been brought to light by cybersecurity researchers at Trend Micro. Cybersecurity researchers believe these malicious droppers are in high demand because of the new ways to distribute mobile malware.
The researchers, who have named it DawDropper, believe it remained hidden under the guise of many android apps, namely, Super Cleaner, Document Scanner Pro, Crypto Utils, Call Record Pro+, Rooster VPN, and Eagle Photo Editor, among others. The report found DawDropper uses a third-party cloud service, Firebase Realtime Database, to avoid detection and obtain a payload download address.
As per the Trend Micro report, DawDropper delivered four types of banking trojans: TeaBot, Ermac, Octo, and Hydra. The banking trojans are described as a dropper-as-a-service (DaaS) attack because the payload is only dropped after the malicious app has been downloaded. The four kinds of malware are designed to steal bank details, usernames, and passwords.
Also Read: Using a Password Manager? Know How to Protect Your Password Manager
TeaBot, also known as Anasta, is particularly dangerous due to its ability to take complete control of Android devices, allowing hackers to compromise bank details with the help of keylogging and stealing authentication codes. The malware informs the victim that their phone has been infected with a virus and that they need to click on a link to protect themselves, and by doing this, the victim actually downloads the malicious payload.
Meanwhile, Octo, also known as Coper, can gain initial access from the device, keeping it awake to allow compromised data to be uploaded. This method has previously been used to target Colombian online banking users. The malware utilizes screen recording to steal confidential information entered by users, such as email addresses, passwords, and pin numbers. Octo can also mask itself by turning off the screen and backlight along with sound to hide any malicious behavior.
Although these banking droppers have the same purpose- to install and distribute malware on victim’s devices, cybersecurity researchers at Trend Micro believe that there are specific differences in how these banking droppers execute their malicious routines. For instance, banking trojans launched earlier this year had hard-coded payload download addresses, whereas the banking droppers recently launched have hidden the actual payload download addresses.
DawDropper evaded Google Play Store protections by using third-party cloud services to obtain payloads from a command-and-control (C&C) server operated by cybercriminals. That means the malicious codes were clean; hence the apps were allowed in the Play store. As of writing, Google Play Store has removed 17 apps.
With cybercriminals constantly evolving their methods and finding new ways to evade detection, we as users should adopt the best security practices and educate ourselves regularly. The researchers at Trend Micro recommend the following practices:
- Avoid downloading/ installing apps from unknown sources.
- Check reviews before downloading apps to see if users share unusual concerns or negative experiences.
- Always verify app developers and publishers.
- Do not download apps from suspicious-looking websites.
Trend Micro also believes that as more banking trojans are made available via DaaS, threat actors will always find a cost-effective and more accessible way of distributing malware disguised as legitimate apps. This trend will probably continue in the future, and more banking trojans will be distributed on digital distribution services.
More on Security:
Understanding the Risks of Connecting to a Public Network
Want more updates on security? Visit https://blog.excellimatrix.com/ or follow us on Facebook & LinkedIn or Contact us at 406-646-2102 and get your questions answered.
