Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Banking Trojans Distributed on Google Play Store in DawDropper Campaign
Aug 02, 2022
7 Mins Read
Sep 12, 2025
Moon

Banking Trojans Distributed on Google Play Store in DawDropper Campaign

Cybersecurity researchers have uncovered a new campaign to distribute banking trojans on the Google Play Store. These “Droppers” make it difficult to detect threat actors and are highly effective for malware distribution. This software, becoming increasingly widespread every day, is also offered for sale as DaaS (dropper-as-a-service) by some threat actors on the dark web.

According to research by Trend Micro, malicious software called DawDropper impersonates trusted apps to gain access to victims’ mobile devices.

Malicious DawDropper apps (Source: Trend Micro) 
Malicious DawDropper apps (Source: Trend Micro) 

DawDropper Distributes Octo, Hydra, and TeaBot

Among the most striking findings of the research is the distribution of banking trojans such as Octo, Hydra, Ermac, and TeaBot to mobile devices by variants of DawDropper. These variants host their payloads in GitHub repositories as the dynamic download address and use Firebase Realtime Database as a C2 server to avoid detection. When the dropper gains access to the target device, it communicates with the C2 server and starts downloading the malware payload from the GitHub repositories.

Banking “droppers” can work in different ways. Newer droppers can hide their payload addresses and use third-party services for both C2 servers and payload downloads. Earlier banking droppers had hard-coded payload addresses.

Octo Malware

Octo is the most well-known malware distributed by DawDropper. Capable of taking full control of the infected device and hijacking sensitive data such as banking information, Octo also can hide its malicious activities.

Octo saves the victim’s device to a scheduled service by keeping it powered. After gaining main permissions on the victim device, it starts working successfully and uploads sensitive data to the C2 server.

Another feature of Octo is that it can record all screen movements on the infected device. It uses virtual network computing (VNC) to capture the victim’s PINs, email addresses, and information used to log into various applications. It makes the device look turned off to hide its activities by switching the sound and the backlight off.

Infection chain of the Octo malware (Source: Trend Micro)
Infection chain of the Octo malware (Source: Trend Micro)

Mitigations

By taking the following security measures, malicious applications can be prevented from infecting mobile devices:

  • Before downloading an app to your device, check the user reviews in the app store.
  • Do research on the developers and publishers of the app you’re considering downloading.
  • Avoid downloading apps from untrusted sources.

IoCs

SHA-256 Package name Detection name C&C server Payload address Payload family
022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 com.caduta.aisevsk AndroidOS_DawDropper.HRX call-recorder-66f03-default-rtdb[.]firebaseio[.]com hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk Octo
e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a com.vpntool.androidweb AndroidOS_DawDropper.HRXA rooster-945d8-default-rtdb[.]firebaseio[.]com hxxps://github.com/butcher65/test/raw/main/golgofan.apk Hydra
8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 com.j2ca.callrecorder AndroidOS_DawDropper.HRXA call-recorder-ad77f-default-rtdb[.]firebaseio[.]com hxxps://github.com/butcher65/test/raw/main/gala.apk Octo
05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 com.codeword.docscann AndroidOS_DawDropper.HRXA doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com hxxps://github.com/lotterevich/lott/raw/main/maina.apk TeaBot
f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 com.virtualapps.universalsaver AndroidOS_DawDropper.HRXA universalsaverpro-default-rtdb[.]firebaseio[.]com hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk Octo
a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb com.techmediapro.photoediting AndroidOS_DawDropper.HRXA eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com hxxps://github.com/butcher65/test/raw/main/lolipop.apk Hydra
eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb com.chestudio.callrecorder AndroidOS_DawDropper.HRXA call-recorder-pro-371bc-default-rtdb.firebaseio.com hxxps://github.com/sherrytho/test/raw/main/golgol.apk Hydra
d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 com.casualplay.leadbro AndroidOS_DawDropper.HRXA loader-acb47-default-rtdb[.]firebaseio[.]com hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk Hydra
b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 com.utilsmycrypto.mainer AndroidOS_DawDropper.HRXA crypto-utils-l-default-rtdb[.]firebaseio[.]com hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk

hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk

Ermac
77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa com.cleaner.fixgate AndroidOS_DawDropper.HRXA fixcleaner-60e32-default-rtdb[.]firebaseio[.]com hxxps://github.com/butcher65/test/raw/main/latte.apk Hydra
5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a com.olivia.openpuremind AndroidOS_DawDropper.HRX crypto-sequence-default-rtdb[.]firebaseio.com N/A N/A
0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab com.myunique.sequencestore AndroidOS_DawDropper.HRX coin-flow-a179b-default-rtdb.firebaseio.com N/A N/A
2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 com.flowmysequto.yamer AndroidOS_DawDropper.HRX incrypted-app-default-rtdb.firebaseio.com N/A N/A
71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d com.qaz.universalsaver AndroidOS_DawDropper.HRX saver-9a43a-default-rtdb[.]firebaseio.com hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk

hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk

Ermac
9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 com.luckyg.cleaner AndroidOS_DawDropper.HRXA lucky-cleaner-default-rtdb[.]firebaseio[.]com hxxps://github.com/gohhas/gate/raw/main/live.apk Octo
ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 com.scando.qukscanner AndroidOS_DawDropper.HRX cleaner-f40c4-default-rtdb[.]firebaseio[.]com hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk Octo
02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 com.qrdscannerratedx AndroidOS_DawDropper.HRX Qrscanner-f6d8d-default-rtdb.firebaseio.com hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk Octo
022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 com.caduta.aisevsk AndroidOS_DawDropper.HRX call-recorder-66f03-default-rtdb[.]firebaseio[.]com hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk Octo
e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a com.vpntool.androidweb AndroidOS_DawDropper.HRXA rooster-945d8-default-rtdb[.]firebaseio[.]com hxxps://github.com/butcher65/test/raw/main/golgofan.apk Hydra
8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 com.j2ca.callrecorder AndroidOS_DawDropper.HRXA call-recorder-ad77f-default-rtdb[.]firebaseio[.]com hxxps://github.com/butcher65/test/raw/main/gala.apk Octo
05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 com.codeword.docscann AndroidOS_DawDropper.HRXA doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com hxxps://github.com/lotterevich/lott/raw/main/maina.apk TeaBot
f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 com.virtualapps.universalsaver AndroidOS_DawDropper.HRXA universalsaverpro-default-rtdb[.]firebaseio[.]com hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk Octo
a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb com.techmediapro.photoediting AndroidOS_DawDropper.HRXA eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com hxxps://github.com/butcher65/test/raw/main/lolipop.apk Hydra
eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb com.chestudio.callrecorder AndroidOS_DawDropper.HRXA call-recorder-pro-371bc-default-rtdb.firebaseio.com hxxps://github.com/sherrytho/test/raw/main/golgol.apk Hydra
d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 com.casualplay.leadbro AndroidOS_DawDropper.HRXA loader-acb47-default-rtdb[.]firebaseio[.]com hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk Hydra
b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 com.utilsmycrypto.mainer AndroidOS_DawDropper.HRXA crypto-utils-l-default-rtdb[.]firebaseio[.]com hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk

hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk

Ermac
77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa com.cleaner.fixgate AndroidOS_DawDropper.HRXA fixcleaner-60e32-default-rtdb[.]firebaseio[.]com hxxps://github.com/butcher65/test/raw/main/latte.apk Hydra
5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a com.olivia.openpuremind AndroidOS_DawDropper.HRX crypto-sequence-default-rtdb[.]firebaseio.com N/A N/A
0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab com.myunique.sequencestore AndroidOS_DawDropper.HRX coin-flow-a179b-default-rtdb.firebaseio.com N/A N/A
2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 com.flowmysequto.yamer AndroidOS_DawDropper.HRX incrypted-app-default-rtdb.firebaseio.com N/A N/A
71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d com.qaz.universalsaver AndroidOS_DawDropper.HRX saver-9a43a-default-rtdb[.]firebaseio.com hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk

hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk

Ermac
9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 com.luckyg.cleaner AndroidOS_DawDropper.HRXA lucky-cleaner-default-rtdb[.]firebaseio[.]com hxxps://github.com/gohhas/gate/raw/main/live.apk Octo
ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 com.scando.qukscanner AndroidOS_DawDropper.HRX cleaner-f40c4-default-rtdb[.]firebaseio[.]com hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk Octo
02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 com.qrdscannerratedx AndroidOS_DawDropper.HRX Qrscanner-f6d8d-default-rtdb.firebaseio.com hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk Octo

Github Repository

Repository Description
hxxps://github.com/butcher65/test GitHub repository hosting the Octo and Hydra banking trojans
hxxps://github.com/lotterevich/lott GitHub repository hosting the TeaBot banking trojan
hxxps://github.com/asFirstYouSaid/test GitHub repository hosting the Ermac banking trojan
hxxps://github.com/asFirstYouSaid/awdaw GitHub repository hosting the Ermac banking trojan
hxxps://github.com/gohhas/gate GitHub repository hosting the Octo banking trojan
hxxps://raw.github.com/k6062019/qq GitHub repository hosting the Octo banking trojan
hxxps://github.com/briangreen7667/2705 GitHub repository hosting the Hydra banking trojan
hxxps://github.com/uliaknazeva888/main GitHub repository hosting the Octo banking trojan
hxxps://github.com/kazakovadana44/1.apk GitHub repository hosting the Octo banking trojan
hxxps://github.com/sherrytho/test GitHub repository hosting the Hydra banking trojan

Octo Payload

SHA-256 Package name Download address Detection name
3834eb0ff1a955dab719f2ae6a51114995a7e3bd0ea201fb4f044218fe72ba4e com.fpkbdpwasnfa hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk AndroidOS_EventBot.GCL
8e9fa712f490b50d13940cc3ab1509566f31627fce8848071a0547bda58ceac8 com.piecesimplevb hxxps://github.com/butcher65/test/raw/main/gala.apk AndroidOS_EventBot.GCL
95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 com.holdremember0 hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk AndroidOS_EventBot.GCL
95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 com.holdremember0 hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk AndroidOS_EventBot.GCL
f0ee3582856f3f406970530138c06ba3c1c175e9d2dae95e6d3ef3c5ed6dc13a com.turncani hxxps://raw.githubusercontent.com/k6062019/qq/main/porc.apk AndroidOS_EventBot.GCL
b16769c154fbb8023ada13cf58a9b289b9643f6cb932afb4dde0189a147d5e11 com.thinkfinddau hxxps://github.com/gohhas/gate/raw/main/live.apk AndroidOS_EventBot.GCL
Network indicator Description
vntososupplsos.live Octo C&C server
olopokogulya.site Backup Octo C&C server
nbvb3954.fun Backup Octo C&C server
nbvvvb.hair Backup Octo C&C server
nbvbbn.lol Backup Octo C&C server
nbvber.makeup Backup Octo C&C server
nbvbsd.mom Backup Octo C&C server
nbvbwe.monster Backup Octo C&C server
nbvb.one Backup Octo C&C server
vbnbvb.online Backup Octo C&C server
ccnbvb.pics Backup Octo C&C server
xxnbvb.quest Backup Octo C&C server
eenbvb.sbs Backup Octo C&C server
asqwnbvb.shop Backup Octo C&C server
qwnbvb.skin Backup Octo C&C server
qqnbvb.space Backup Octo C&C server
wwerenbvb.store Backup Octo C&C server