These 17 Dropper Apps, Dubbed Combo daudruber By Trend Micro, disguised as productivity apps and utilities such as document scanners, QR code readers, VPN services, call recorders and more. All these respective apps have been removed from the app market.
“DawDropper uses the Firebase Realtime database, a third-party cloud service, to evade detection and dynamically obtain the payload download address,” the researchers said. He said. “It also hosts malicious payloads on GitHub.”
Droppers are apps that are designed to pass Google Play Store security checks, after which they are used to download more powerful and intrusive malware onto the device, in this case, October (cooper), hydraAnd the play youAnd the tibot.
The attack chains included the DawDropper malware that establishes connections to the Firebase Realtime database to receive the GitHub URL needed to download the malicious APK file.
The list of previously available malicious apps on the App Store is below –
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner – Hyper Smart (com.j2ca.callrecorder)
- Document Scanner – PDF Creator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle Photo Editor (com.techmediapro.photoediting)
- call recorder pro+ (com.chestudio.callrecorder)
- Extra Cleaner (com.casualplay.leadbro)
- Crypto Utils (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Just In: Video Motion (com.olivia.openpuremind)
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Reader (com.qrdscannerratedx)
An app called “Unicc QR Scanner” is included among the trains that were previously Reported by Zscaler Earlier this month, the Coper Banking Trojan, a type of mobile malware by Exobot, was distributed.
Also known to disable Octo google play for protection and use Virtual Network Computing (VNC) to record a victim’s device screen, including sensitive information such as banking credentials, email addresses, passwords, and PINs, which is later leaked to a remote server.
On the other hand, bank quitters evolved Since the beginning of the year, it has moved away from payload download addresses encrypted with a middleware to mask the address hosting the malware.
“Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible,” the researchers said.
Furthermore, due to the high demand for new ways to distribute malware on mobile devices, many bad actors claim that their mining tools can help other cybercriminals to spread their malware on the Google Play Store, leading to the use of Dropper as a Service (DaaS) Model.”