Banking dropper malware surfaced on the Google Play Store this year, showing how this emerging financial Trojan can appear in many places, according to Trend Micro.
The so-called ‘DawDropper’ which has been focusing on financial institutions lately is using malicious ‘droppers’ in order to share and spread its malware payload, according to research by Trend Mobile Team Microphone.
“Flawed actors have surreptitiously added an increasing number of banking Trojans to Google Play Store via malicious dropper this year, proving that such a technique is effective in evading detection,” according to Trend Micro.
“Additionally, because there is a high demand for new ways to distribute mobile malware, several attackers claim that their actor accounts could help other cybercriminals distribute their malware on the Google Play Store,” it continues. message, “Training a dropper as a service (DaaS) model. »
Starting late last year, this new variant of dropper malware was discovered infiltrating various Android mobile app strongholds.
While these growing “dropper” attacks may seem novel, there are aspects of these incursions that are quite conventional.
“What’s not new is the hiding of malware in common productivity apps provided by the Google Store,” said James McQuiggan, security awareness advocate at KnowBe4.
“What’s new is a third-party system that delivers faulty software in apps after they’ve been downloaded,” McQuiggan said. “Cybercriminals are constantly evolving to meet technological and human improvements to evade anti-malware and human firewall. »
By examining the overall history of DawDropper, Trend Micro discovered four types of banking Trojans, including Octo, Hydra, Ermac, and TeaBot.
“All DawDropper variants use a Firebase Realtime Database, a NoSQL database hosted legitimately in the cloud to store data, as a command and control (C&C) server and to host payloads on GitHub,” according to Trend Micro.
Although these bank droppers have the same main purpose – to distribute and install malware on victims’ devices – “we found that there are marked differences in the way these bank droppers implement their routines. malware,” according to Trend Micro’s analysis. For example, the bank droppers that launched earlier this year “have hard-coded payload download addresses.”
Meanwhile, bank droppers that were recently launched “tend to hide the actual payload download address, sometimes use third-party services like C&C servers, and use third-party services like GitHub to host malicious payloads,” the Trend Micro study found.
“Financial industries are being targeted as they keep the money,” McQuiggan pointed out. “Cybercriminals find it easier to target users and steal their credentials and work to sell them or exploiters to nominate the victim for social money. »
Cybercriminals always contain ways “to evade detection and infect as many devices as possible,” according to Trend Micro. “In six months, we saw how banking Trojans asserted their technical routines to avoid detection, such as hiding malicious payloads in droppers. As more and more Trojan phones are made available through DaaS, bad actors will have an easier and more commendable way to distribute malware disguised as legitimate apps.
Trend Micro predicted that the trend would continue, with more banking Trojans being distributed on general application sites like Google Play Store, as well as others.
“As BankDropper targets users, education is always beneficial to increase awareness among bank customers to be skeptical of loading software for apps that have no reviews,” McQuiggan said. “Banks should always ensure multi-factor authentication is enabled and use authenticator apps rather than texting a code. »