These 17 dropper apps, collectively dubbed DawDropper by Trend Micro, masqueraded as productivity and utility apps such as document scanners, QR code readers, VPN services, and call recorders, among others. All these apps in question have been removed from the app marketplace.
"DawDropper uses Firebase Realtime Database, a third-party cloud service, to evade detection and dynamically obtain a payload download address," the researchers said. "It also hosts malicious payloads on GitHub."
Droppers are apps designed to sneak past Google's Play Store security checks, following which they are used to download more potent and intrusive malware on a device, in this case, Octo (Coper), Hydra, Ermac, and TeaBot.
Attack chains involved the DawDropper malware establishing connections with a Firebase Realtime Database to receive the GitHub URL necessary to download the malicious APK file.
The list of malicious apps previously available from the app store is below -
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner- hyper & smart (com.j2ca.callrecorder)
- Document Scanner - PDF Creator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle photo editor (com.techmediapro.photoediting)
- Call recorder pro+ (com.chestudio.callrecorder)
- Extra Cleaner (com.casualplay.leadbro)
- Crypto Utils (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Just In: Video Motion (com.olivia.openpuremind)
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
Included among the droppers is an app named "Unicc QR Scanner" that was previously flagged by Zscaler this month as distributing the Coper banking trojan, a variant of the Exobot mobile malware.
Octo is also known to disable Google Play Protect and use virtual network computing (VNC) to record a victim device's screen, including sensitive information such as banking credentials, email addresses and passwords, and PINs, all of which are subsequently exfiltrated to a remote server.
Banking droppers, for their part, have evolved since the start of the year, pivoting away from hard-coded payload download addresses to using an intermediary to conceal the address hosting the malware.
"Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible," the researchers said.
"Additionally, because there is a high demand for novel ways to distribute mobile malware, several malicious actors claim that their droppers could help other cybercriminals disseminate their malware on Google Play Store, resulting in a dropper-as-a-service (DaaS) model."