Researchers at Trend Micro have dubbed a new malware campaign DawDropper, which delivers four types of banking trojans to victims via apps on the Google Play Store. The attack is described as a Dropper-as-a-Service (DaaS) attack because the payload is only dropped after the app has been downloaded. The four types of malware being delivered are TeaBot, Octo, Hydra, and Ermac. Each of them is designed to steal banking account information along with usernames and passwords. TeaBot is known for using keylogging and stealing authentication codes while Octo has the ability to gain primary permissions from a device to keep it awake and allow stolen data to be uploaded. The attack can be traced to 2021 and is being distributed through various types of apps including VPNs, cleaner apps, photo editors, document scanners, games. DawDropper evaded Play Store protections by using third-party cloud services to obtain the payload from a command-and-control (C&C) server operated by the attackers. This means that the code uploaded to the Play Store was “clean” and couldn’t be flagged as malware.
Analyst Notes
Malicious apps on the Google Play Store are not rare, and are constantly being identified and taken down. Threat actors are always innovating new ways to get their malicious apps accepted by the Play Store. Users downloading from the Play Store should do their due diligence in trying to identify if the app is legitimate. This includes looking at the quantity and quality of the reviews of the app; users should also only download applications from reputable sources. Organizations should implement mobile device management (MDM) in order to secure and monitor devices with confidential information and credentials.
https://www.zdnet.com/article/be-careful-what-you-download-17-password-stealing-android-apps-removed-from-google-play/
