Reading:
Banking Trojans Distributed on Google Play Store in DawDropper Campaign

Banking Trojans Distributed on Google Play Store in DawDropper Campaign

August 2, 2022

Cybersecurity researchers have uncovered a new campaign to distribute banking trojans on the Google Play Store. These “Droppers” make it difficult to detect threat actors and are highly effective for malware distribution. This software, becoming increasingly widespread every day, is also offered for sale as DaaS (dropper-as-a-service) by some threat actors on the dark web.

According to research by Trend Micro, malicious software called DawDropper impersonates trusted apps to gain access to victims’ mobile devices.

Malicious DawDropper apps (Source: Trend Micro) 
Malicious DawDropper apps (Source: Trend Micro) 

DawDropper Distributes Octo, Hydra, and TeaBot

Among the most striking findings of the research is the distribution of banking trojans such as Octo, Hydra, Ermac, and TeaBot to mobile devices by variants of DawDropper. These variants host their payloads in GitHub repositories as the dynamic download address and use Firebase Realtime Database as a C2 server to avoid detection. When the dropper gains access to the target device, it communicates with the C2 server and starts downloading the malware payload from the GitHub repositories.

Banking “droppers” can work in different ways. Newer droppers can hide their payload addresses and use third-party services for both C2 servers and payload downloads. Earlier banking droppers had hard-coded payload addresses.

Octo Malware

Octo is the most well-known malware distributed by DawDropper. Capable of taking full control of the infected device and hijacking sensitive data such as banking information, Octo also can hide its malicious activities.

Octo saves the victim’s device to a scheduled service by keeping it powered. After gaining main permissions on the victim device, it starts working successfully and uploads sensitive data to the C2 server.

Another feature of Octo is that it can record all screen movements on the infected device. It uses virtual network computing (VNC) to capture the victim’s PINs, email addresses, and information used to log into various applications. It makes the device look turned off to hide its activities by switching the sound and the backlight off.

Infection chain of the Octo malware (Source: Trend Micro)
Infection chain of the Octo malware (Source: Trend Micro)

Mitigations

By taking the following security measures, malicious applications can be prevented from infecting mobile devices:

  • Before downloading an app to your device, check the user reviews in the app store.
  • Do research on the developers and publishers of the app you’re considering downloading.
  • Avoid downloading apps from untrusted sources.

IoCs

SHA-256

Package name

Detection name

C&C server

Payload address

Payload family

022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91

com.caduta.aisevsk

AndroidOS_DawDropper.HRX

call-recorder-66f03-default-rtdb[.]firebaseio[.]com

hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk

Octo

e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a

com.vpntool.androidweb

AndroidOS_DawDropper.HRXA

rooster-945d8-default-rtdb[.]firebaseio[.]com

hxxps://github.com/butcher65/test/raw/main/golgofan.apk

Hydra

8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637

com.j2ca.callrecorder

AndroidOS_DawDropper.HRXA

call-recorder-ad77f-default-rtdb[.]firebaseio[.]com

hxxps://github.com/butcher65/test/raw/main/gala.apk

Octo

05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08

com.codeword.docscann

AndroidOS_DawDropper.HRXA

doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com

hxxps://github.com/lotterevich/lott/raw/main/maina.apk

TeaBot

f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271

com.virtualapps.universalsaver

AndroidOS_DawDropper.HRXA

universalsaverpro-default-rtdb[.]firebaseio[.]com

hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk

Octo

a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb

com.techmediapro.photoediting

AndroidOS_DawDropper.HRXA

eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com

hxxps://github.com/butcher65/test/raw/main/lolipop.apk

Hydra

eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb

com.chestudio.callrecorder

AndroidOS_DawDropper.HRXA

call-recorder-pro-371bc-default-rtdb.firebaseio.com

hxxps://github.com/sherrytho/test/raw/main/golgol.apk

Hydra

d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42

com.casualplay.leadbro

AndroidOS_DawDropper.HRXA

loader-acb47-default-rtdb[.]firebaseio[.]com

hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk

Hydra

b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58

com.utilsmycrypto.mainer

AndroidOS_DawDropper.HRXA

crypto-utils-l-default-rtdb[.]firebaseio[.]com

hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk

hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk

Ermac

77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa

com.cleaner.fixgate

AndroidOS_DawDropper.HRXA

fixcleaner-60e32-default-rtdb[.]firebaseio[.]com

hxxps://github.com/butcher65/test/raw/main/latte.apk

Hydra

5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a

com.olivia.openpuremind

AndroidOS_DawDropper.HRX

crypto-sequence-default-rtdb[.]firebaseio.com

N/A

N/A

0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab

com.myunique.sequencestore

AndroidOS_DawDropper.HRX

coin-flow-a179b-default-rtdb.firebaseio.com

N/A

N/A

2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8

com.flowmysequto.yamer

AndroidOS_DawDropper.HRX

incrypted-app-default-rtdb.firebaseio.com

N/A

N/A

71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d

com.qaz.universalsaver

AndroidOS_DawDropper.HRX

saver-9a43a-default-rtdb[.]firebaseio.com

hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk

hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk

Ermac

9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461

com.luckyg.cleaner

AndroidOS_DawDropper.HRXA

lucky-cleaner-default-rtdb[.]firebaseio[.]com

hxxps://github.com/gohhas/gate/raw/main/live.apk

Octo

ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02

com.scando.qukscanner

AndroidOS_DawDropper.HRX

cleaner-f40c4-default-rtdb[.]firebaseio[.]com

hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk

Octo

02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4

com.qrdscannerratedx

AndroidOS_DawDropper.HRX

Qrscanner-f6d8d-default-rtdb.firebaseio.com

hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk

Octo

 

022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91

com.caduta.aisevsk

AndroidOS_DawDropper.HRX

call-recorder-66f03-default-rtdb[.]firebaseio[.]com

hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk

Octo

e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a

com.vpntool.androidweb

AndroidOS_DawDropper.HRXA

rooster-945d8-default-rtdb[.]firebaseio[.]com

hxxps://github.com/butcher65/test/raw/main/golgofan.apk

Hydra

8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637

com.j2ca.callrecorder

AndroidOS_DawDropper.HRXA

call-recorder-ad77f-default-rtdb[.]firebaseio[.]com

hxxps://github.com/butcher65/test/raw/main/gala.apk

Octo

05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08

com.codeword.docscann

AndroidOS_DawDropper.HRXA

doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com

hxxps://github.com/lotterevich/lott/raw/main/maina.apk

TeaBot

f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271

com.virtualapps.universalsaver

AndroidOS_DawDropper.HRXA

universalsaverpro-default-rtdb[.]firebaseio[.]com

hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk

Octo

a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb

com.techmediapro.photoediting

AndroidOS_DawDropper.HRXA

eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com

hxxps://github.com/butcher65/test/raw/main/lolipop.apk

Hydra

eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb

com.chestudio.callrecorder

AndroidOS_DawDropper.HRXA

call-recorder-pro-371bc-default-rtdb.firebaseio.com

hxxps://github.com/sherrytho/test/raw/main/golgol.apk

Hydra

d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42

com.casualplay.leadbro

AndroidOS_DawDropper.HRXA

loader-acb47-default-rtdb[.]firebaseio[.]com

hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk

Hydra

b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58

com.utilsmycrypto.mainer

AndroidOS_DawDropper.HRXA

crypto-utils-l-default-rtdb[.]firebaseio[.]com

hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk

hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk

Ermac

77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa

com.cleaner.fixgate

AndroidOS_DawDropper.HRXA

fixcleaner-60e32-default-rtdb[.]firebaseio[.]com

hxxps://github.com/butcher65/test/raw/main/latte.apk

Hydra

5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a

com.olivia.openpuremind

AndroidOS_DawDropper.HRX

crypto-sequence-default-rtdb[.]firebaseio.com

N/A

N/A

0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab

com.myunique.sequencestore

AndroidOS_DawDropper.HRX

coin-flow-a179b-default-rtdb.firebaseio.com

N/A

N/A

2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8

com.flowmysequto.yamer

AndroidOS_DawDropper.HRX

incrypted-app-default-rtdb.firebaseio.com

N/A

N/A

71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d

com.qaz.universalsaver

AndroidOS_DawDropper.HRX

saver-9a43a-default-rtdb[.]firebaseio.com

hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk

hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk

Ermac

9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461

com.luckyg.cleaner

AndroidOS_DawDropper.HRXA

lucky-cleaner-default-rtdb[.]firebaseio[.]com

hxxps://github.com/gohhas/gate/raw/main/live.apk

Octo

ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02

com.scando.qukscanner

AndroidOS_DawDropper.HRX

cleaner-f40c4-default-rtdb[.]firebaseio[.]com

hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk

Octo

02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4

com.qrdscannerratedx

AndroidOS_DawDropper.HRX

 

Qrscanner-f6d8d-default-rtdb.firebaseio.com

hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk

Octo

Github Repository

Repository

Description

hxxps://github.com/butcher65/test

GitHub repository hosting the Octo and Hydra banking trojans

hxxps://github.com/lotterevich/lott

GitHub repository hosting the TeaBot banking trojan

hxxps://github.com/asFirstYouSaid/test

GitHub repository hosting the Ermac banking trojan

hxxps://github.com/asFirstYouSaid/awdaw

GitHub repository hosting the Ermac banking trojan

hxxps://github.com/gohhas/gate

GitHub repository hosting the Octo banking trojan

hxxps://raw.github.com/k6062019/qq

GitHub repository hosting the Octo banking trojan

hxxps://github.com/briangreen7667/2705

GitHub repository hosting the Hydra banking trojan

hxxps://github.com/uliaknazeva888/main

GitHub repository hosting the Octo banking trojan

hxxps://github.com/kazakovadana44/1.apk

GitHub repository hosting the Octo banking trojan

hxxps://github.com/sherrytho/test

GitHub repository hosting the Hydra banking trojan

Octo Payload

SHA-256

Package name

Download address

Detection name

3834eb0ff1a955dab719f2ae6a51114995a7e3bd0ea201fb4f044218fe72ba4e

com.fpkbdpwasnfa

hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk

AndroidOS_EventBot.GCL

8e9fa712f490b50d13940cc3ab1509566f31627fce8848071a0547bda58ceac8

com.piecesimplevb

hxxps://github.com/butcher65/test/raw/main/gala.apk

AndroidOS_EventBot.GCL

95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823

com.holdremember0

hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk

AndroidOS_EventBot.GCL

95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823

com.holdremember0

hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk

AndroidOS_EventBot.GCL

f0ee3582856f3f406970530138c06ba3c1c175e9d2dae95e6d3ef3c5ed6dc13a

com.turncani

hxxps://raw.githubusercontent.com/k6062019/qq/main/porc.apk

AndroidOS_EventBot.GCL

b16769c154fbb8023ada13cf58a9b289b9643f6cb932afb4dde0189a147d5e11

com.thinkfinddau

hxxps://github.com/gohhas/gate/raw/main/live.apk

AndroidOS_EventBot.GCL

Network indicator

Description

vntososupplsos.live

Octo C&C server

olopokogulya.site

Backup Octo C&C server

nbvb3954.fun

Backup Octo C&C server

nbvvvb.hair

Backup Octo C&C server

nbvbbn.lol

Backup Octo C&C server

nbvber.makeup

Backup Octo C&C server

nbvbsd.mom

Backup Octo C&C server

nbvbwe.monster

Backup Octo C&C server

nbvb.one

Backup Octo C&C server

vbnbvb.online

Backup Octo C&C server

ccnbvb.pics

Backup Octo C&C server

xxnbvb.quest

Backup Octo C&C server

eenbvb.sbs

Backup Octo C&C server

asqwnbvb.shop

Backup Octo C&C server

qwnbvb.skin

Backup Octo C&C server

qqnbvb.space

Backup Octo C&C server

wwerenbvb.store

Backup Octo C&C server