The malware campaign has been detailed by cybersecurity researchers at Trend Micro who’ve dubbed it DawDropper and say it delivers four types of banking trojan – TeaBot, Octo, Hydra and Ermac – in what’s described as a dropper-as-a-service (DaaS) attack because the payload is only dropped after the app has been downloaded.
Each of the four kinds of malware are designed to steal bank account information along with usernames and passwords. TeaBot is particularly powerful, using keylogging and stealing authentication codes to help grab bank information and other sensitive personal data.
Meanwhile, Octor has the ability to gain primary permissions from the device, keeping it awake to allow stolen data to be uploaded. It uses screen recording to steal information entered by the user, including email addresses, passwords and pins. The malware can also turn the screen and backlight off and turns off sound to hide malicious behaviour.
SEE: How to keep your bank details and finances more secure online
The DawDropper campaign can be traced to late 2021 and various applications have been used to hide malware deliveries to victims. The full list – detailed by Trend Micro – includes call recorders, VPNs, cleaner applications, photo editors, document scanners, games and more. The number of times the malicious apps were downloaded hasn’t been detailed.
DawDropper evaded Play Store protections by using third-party cloud services to obtain the payload from a command-and-control (C&C) server operated by the attackers. That means the code was clean, so the apps were allowed in the store – it’s only after the malicious apps are downloaded by victims that a connection is made to drop the malware payload.
Trend Micro says each of the 17 malicious apps has now been removed from the Google Play Store.
“Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible,” said the Trend Micro blog post.
“As more banking trojans are made available via DaaS, malicious actors will have an easier and more cost-effective way of distributing malware disguised as legitimate apps. We foresee that this trend will continue and more banking trojans will be distributed on digital distribution services in the future,” they added.
This is far from the first time malicious apps have been removed from the Play Store and it’s unlikely to be the last – but there are steps that users can take to avoid falling victim to malware hidden in official app stores.
These include only downloading applications from known developers and publishers, and avoiding apps that are published by developers who only have one app, don’t provide many details about themselves and are relatively new.
Users should also check app reviews to see if other users have had negative experiences since downloading the app – this could provide a strong indication that the app is to be avoided.
MORE ON CYBERSECURITY
Android security: How this new malware has become a top smartphone threatThis new Android malware bypasses multi-factor authentication to steal your passwordsThis Android banking trojan is spreading by copying the tactics of another malware menaceFour more apps that infected thousands of Android devices with malware removed from Google Play storeThousands of Android users downloaded this password-stealing malware disguised as anti-virus from Google Play