Apr 17, 2024
Banking Trojans Distributed on Google Play Store in DawDropper Campaign
Cybersecurity researchers have uncovered a new campaign to distribute banking trojans on the Google Play Store. These “Droppers” make it difficult to detect threat actors and are highly effective for malware distribution. This software, becoming increasingly widespread every day, is also offered for sale as DaaS (dropper-as-a-service) by some threat actors on the dark web.
According to research by Trend Micro, malicious software called DawDropper impersonates trusted apps to gain access to victims’ mobile devices.
DawDropper Distributes Octo, Hydra, and TeaBot
Among the most striking findings of the research is the distribution of banking trojans such as Octo, Hydra, Ermac, and TeaBot to mobile devices by variants of DawDropper. These variants host their payloads in GitHub repositories as the dynamic download address and use Firebase Realtime Database as a C2 server to avoid detection. When the dropper gains access to the target device, it communicates with the C2 server and starts downloading the malware payload from the GitHub repositories.
Banking “droppers” can work in different ways. Newer droppers can hide their payload addresses and use third-party services for both C2 servers and payload downloads. Earlier banking droppers had hard-coded payload addresses.
Octo Malware
Octo is the most well-known malware distributed by DawDropper. Capable of taking full control of the infected device and hijacking sensitive data such as banking information, Octo also can hide its malicious activities.
Octo saves the victim’s device to a scheduled service by keeping it powered. After gaining main permissions on the victim device, it starts working successfully and uploads sensitive data to the C2 server.
Another feature of Octo is that it can record all screen movements on the infected device. It uses virtual network computing (VNC) to capture the victim’s PINs, email addresses, and information used to log into various applications. It makes the device look turned off to hide its activities by switching the sound and the backlight off.
Mitigations
By taking the following security measures, malicious applications can be prevented from infecting mobile devices:
- Before downloading an app to your device, check the user reviews in the app store.
- Do research on the developers and publishers of the app you’re considering downloading.
- Avoid downloading apps from untrusted sources.
IoCs
|
SHA-256 |
Package name |
Detection name |
C&C server |
Payload address |
Payload family |
|
022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 |
com.caduta.aisevsk |
AndroidOS_DawDropper.HRX |
call-recorder-66f03-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk |
Octo |
|
e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a |
com.vpntool.androidweb |
AndroidOS_DawDropper.HRXA |
rooster-945d8-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/butcher65/test/raw/main/golgofan.apk |
Hydra |
|
8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 |
com.j2ca.callrecorder |
AndroidOS_DawDropper.HRXA |
call-recorder-ad77f-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/butcher65/test/raw/main/gala.apk |
Octo |
|
05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 |
com.codeword.docscann |
AndroidOS_DawDropper.HRXA |
doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/lotterevich/lott/raw/main/maina.apk |
TeaBot |
|
f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 |
com.virtualapps.universalsaver |
AndroidOS_DawDropper.HRXA |
universalsaverpro-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk |
Octo |
|
a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb |
com.techmediapro.photoediting |
AndroidOS_DawDropper.HRXA |
eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/butcher65/test/raw/main/lolipop.apk |
Hydra |
|
eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb |
com.chestudio.callrecorder |
AndroidOS_DawDropper.HRXA |
call-recorder-pro-371bc-default-rtdb.firebaseio.com |
hxxps://github.com/sherrytho/test/raw/main/golgol.apk |
Hydra |
|
d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 |
com.casualplay.leadbro |
AndroidOS_DawDropper.HRXA |
loader-acb47-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk |
Hydra |
|
b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 |
com.utilsmycrypto.mainer |
AndroidOS_DawDropper.HRXA |
crypto-utils-l-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk |
Ermac |
|
77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa |
com.cleaner.fixgate |
AndroidOS_DawDropper.HRXA |
fixcleaner-60e32-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/butcher65/test/raw/main/latte.apk |
Hydra |
|
5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a |
com.olivia.openpuremind |
AndroidOS_DawDropper.HRX |
crypto-sequence-default-rtdb[.]firebaseio.com |
N/A |
N/A |
|
0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab |
com.myunique.sequencestore |
AndroidOS_DawDropper.HRX |
coin-flow-a179b-default-rtdb.firebaseio.com |
N/A |
N/A |
|
2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 |
com.flowmysequto.yamer |
AndroidOS_DawDropper.HRX |
incrypted-app-default-rtdb.firebaseio.com |
N/A |
N/A |
|
71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d |
com.qaz.universalsaver |
AndroidOS_DawDropper.HRX |
saver-9a43a-default-rtdb[.]firebaseio.com |
hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk |
Ermac |
|
9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 |
com.luckyg.cleaner |
AndroidOS_DawDropper.HRXA |
lucky-cleaner-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/gohhas/gate/raw/main/live.apk |
Octo |
|
ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 |
com.scando.qukscanner |
AndroidOS_DawDropper.HRX |
cleaner-f40c4-default-rtdb[.]firebaseio[.]com |
hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk |
Octo |
|
02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 |
com.qrdscannerratedx |
AndroidOS_DawDropper.HRX |
Qrscanner-f6d8d-default-rtdb.firebaseio.com |
hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk |
Octo |
|
022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 |
com.caduta.aisevsk |
AndroidOS_DawDropper.HRX |
call-recorder-66f03-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk |
Octo |
|
e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a |
com.vpntool.androidweb |
AndroidOS_DawDropper.HRXA |
rooster-945d8-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/butcher65/test/raw/main/golgofan.apk |
Hydra |
|
8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 |
com.j2ca.callrecorder |
AndroidOS_DawDropper.HRXA |
call-recorder-ad77f-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/butcher65/test/raw/main/gala.apk |
Octo |
|
05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 |
com.codeword.docscann |
AndroidOS_DawDropper.HRXA |
doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/lotterevich/lott/raw/main/maina.apk |
TeaBot |
|
f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 |
com.virtualapps.universalsaver |
AndroidOS_DawDropper.HRXA |
universalsaverpro-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk |
Octo |
|
a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb |
com.techmediapro.photoediting |
AndroidOS_DawDropper.HRXA |
eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/butcher65/test/raw/main/lolipop.apk |
Hydra |
|
eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb |
com.chestudio.callrecorder |
AndroidOS_DawDropper.HRXA |
call-recorder-pro-371bc-default-rtdb.firebaseio.com |
hxxps://github.com/sherrytho/test/raw/main/golgol.apk |
Hydra |
|
d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 |
com.casualplay.leadbro |
AndroidOS_DawDropper.HRXA |
loader-acb47-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk |
Hydra |
|
b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 |
com.utilsmycrypto.mainer |
AndroidOS_DawDropper.HRXA |
crypto-utils-l-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk |
Ermac |
|
77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa |
com.cleaner.fixgate |
AndroidOS_DawDropper.HRXA |
fixcleaner-60e32-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/butcher65/test/raw/main/latte.apk |
Hydra |
|
5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a |
com.olivia.openpuremind |
AndroidOS_DawDropper.HRX |
crypto-sequence-default-rtdb[.]firebaseio.com |
N/A |
N/A |
|
0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab |
com.myunique.sequencestore |
AndroidOS_DawDropper.HRX |
coin-flow-a179b-default-rtdb.firebaseio.com |
N/A |
N/A |
|
2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 |
com.flowmysequto.yamer |
AndroidOS_DawDropper.HRX |
incrypted-app-default-rtdb.firebaseio.com |
N/A |
N/A |
|
71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d |
com.qaz.universalsaver |
AndroidOS_DawDropper.HRX |
saver-9a43a-default-rtdb[.]firebaseio.com |
hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk |
Ermac |
|
9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 |
com.luckyg.cleaner |
AndroidOS_DawDropper.HRXA |
lucky-cleaner-default-rtdb[.]firebaseio[.]com |
hxxps://github.com/gohhas/gate/raw/main/live.apk |
Octo |
|
ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 |
com.scando.qukscanner |
AndroidOS_DawDropper.HRX |
cleaner-f40c4-default-rtdb[.]firebaseio[.]com |
hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk |
Octo |
|
02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 |
com.qrdscannerratedx |
AndroidOS_DawDropper.HRX
|
Qrscanner-f6d8d-default-rtdb.firebaseio.com |
hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk |
Octo |
Github Repository
|
Repository |
Description |
|
hxxps://github.com/butcher65/test |
GitHub repository hosting the Octo and Hydra banking trojans |
|
hxxps://github.com/lotterevich/lott |
GitHub repository hosting the TeaBot banking trojan |
|
hxxps://github.com/asFirstYouSaid/test |
GitHub repository hosting the Ermac banking trojan |
|
hxxps://github.com/asFirstYouSaid/awdaw |
GitHub repository hosting the Ermac banking trojan |
|
hxxps://github.com/gohhas/gate |
GitHub repository hosting the Octo banking trojan |
|
hxxps://raw.github.com/k6062019/qq |
GitHub repository hosting the Octo banking trojan |
|
hxxps://github.com/briangreen7667/2705 |
GitHub repository hosting the Hydra banking trojan |
|
hxxps://github.com/uliaknazeva888/main |
GitHub repository hosting the Octo banking trojan |
|
hxxps://github.com/kazakovadana44/1.apk |
GitHub repository hosting the Octo banking trojan |
|
hxxps://github.com/sherrytho/test |
GitHub repository hosting the Hydra banking trojan |
Octo Payload
|
SHA-256 |
Package name |
Download address |
Detection name |
|
3834eb0ff1a955dab719f2ae6a51114995a7e3bd0ea201fb4f044218fe72ba4e |
com.fpkbdpwasnfa |
hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk |
AndroidOS_EventBot.GCL |
|
8e9fa712f490b50d13940cc3ab1509566f31627fce8848071a0547bda58ceac8 |
com.piecesimplevb |
hxxps://github.com/butcher65/test/raw/main/gala.apk |
AndroidOS_EventBot.GCL |
|
95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 |
com.holdremember0 |
hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk |
AndroidOS_EventBot.GCL |
|
95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 |
com.holdremember0 |
hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk |
AndroidOS_EventBot.GCL |
|
f0ee3582856f3f406970530138c06ba3c1c175e9d2dae95e6d3ef3c5ed6dc13a |
com.turncani |
hxxps://raw.githubusercontent.com/k6062019/qq/main/porc.apk |
AndroidOS_EventBot.GCL |
|
b16769c154fbb8023ada13cf58a9b289b9643f6cb932afb4dde0189a147d5e11 |
com.thinkfinddau |
hxxps://github.com/gohhas/gate/raw/main/live.apk |
AndroidOS_EventBot.GCL |
|
Network indicator |
Description |
|
vntososupplsos.live |
Octo C&C server |
|
olopokogulya.site |
Backup Octo C&C server |
|
nbvb3954.fun |
Backup Octo C&C server |
|
nbvvvb.hair |
Backup Octo C&C server |
|
nbvbbn.lol |
Backup Octo C&C server |
|
nbvber.makeup |
Backup Octo C&C server |
|
nbvbsd.mom |
Backup Octo C&C server |
|
nbvbwe.monster |
Backup Octo C&C server |
|
nbvb.one |
Backup Octo C&C server |
|
vbnbvb.online |
Backup Octo C&C server |
|
ccnbvb.pics |
Backup Octo C&C server |
|
xxnbvb.quest |
Backup Octo C&C server |
|
eenbvb.sbs |
Backup Octo C&C server |
|
asqwnbvb.shop |
Backup Octo C&C server |
|
qwnbvb.skin |
Backup Octo C&C server |
|
qqnbvb.space |
Backup Octo C&C server |
|
wwerenbvb.store |
Backup Octo C&C server |
Related Articles
Major Cyber Attacks in Review: March 2024
Apr 16, 2024
Cyber Reflections of Iran's Attack on Israel
Apr 15, 2024
Subscribe to our newsletter and stay updated on the latest insights!
