These Sinister Apps On Google Play Are Laced With Android Banking Malware, Delete ASAP
Google is engaged in a never ending game of cat and mouse with threat actors on its Play Store who employ different techniques to sneak malware-ridden apps onto the app store. We fairly regularly write about newly discovered batches of malicious apps that went unrecognized as such long enough to infect hundreds of thousands to even millions of Android devices. Malware found on the Play Store often steals sensitive information, including text messages, contact lists, banking credentials, and device information, from unsuspecting users. The presence of this persistent threat on the Google Play Store requires that Android users remain vigilant so as to not unwittingly install apps bearing malicious payloads.
A new analysis by the Trend Micro Mobile Team has revealed an additional set of apps that users should ensure aren’t installed on their devices, as they contain a dropper variant that installs the Octo malware. The researchers have named this newly discovered dropper variant “DawDropper.” Seventeen different apps that were previously available on the Google Play Store contain this dropper.
A new analysis by the Trend Micro Mobile Team has revealed an additional set of apps that users should ensure aren’t installed on their devices, as they contain a dropper variant that installs the Octo malware. The researchers have named this newly discovered dropper variant “DawDropper.” Seventeen different apps that were previously available on the Google Play Store contain this dropper.
Malware directly contained within an app on the Play Store might be detected by Google, but threat actors can avoid this detection by uploading apps to the Play Store that contain droppers. Once an unsuspecting victim installs one of these apps, the dropper downloads and installs a malicious payload. According to Trend Micro, variations of DawDropper download and install different banking trojans, including Octo, Hydra, Ermac, and TeaBot.
Each variant connects to a Firebase Realtime Database that functions as the command-and-control (C2) server. The server then instructs the dropper to download and install a malicious payload from a GitHub repository. In the case of Octo, once installed, the malware disables security features like Google Play Protect and gains accessibility and admin permissions. It can then disable the infected device’s backlight and mute sounds while keeping the device on to collect sensitive information. Octo can collect banking credentials, email addresses, text messages, passwords, and more, then upload this information to a C2 server controlled by the threat actors. Android users should make sure they don’t have any of the apps shown in the image above installed on their devices.
Each variant connects to a Firebase Realtime Database that functions as the command-and-control (C2) server. The server then instructs the dropper to download and install a malicious payload from a GitHub repository. In the case of Octo, once installed, the malware disables security features like Google Play Protect and gains accessibility and admin permissions. It can then disable the infected device’s backlight and mute sounds while keeping the device on to collect sensitive information. Octo can collect banking credentials, email addresses, text messages, passwords, and more, then upload this information to a C2 server controlled by the threat actors. Android users should make sure they don’t have any of the apps shown in the image above installed on their devices.
