Banking Trojan Finds New Ways To Accounts By Infiltrating Google Play Store

080522 google play samsung nexus
An attendee inspects a Nexus 5X phone during a Google media event on September 29, 2015 in San Francisco. (Photo by Justin Sullivan/Getty Images)

Banking dropper malware surfaced on the Google Play Store this year, showing how this emerging financial Trojan can appear in many places, according to Trend Micro.

The so-called ‘DawDropper’ which has been focusing on financial institutions lately uses malicious ‘droppers’ in order to share and spread its malware payload, according to research by Trend’s mobile team Microphone.

“Malicious actors have surreptitiously added an increasing number of banking Trojans to Google Play Store via malicious dropper this year, proving that such a technique is effective in evading detection,” according to Trend Micro.


“Additionally, because there is a high demand for new ways to distribute mobile malware, several malicious actors claim that their droppers could help other cybercriminals distribute their malware to the Google Play Store,” continues the message, “Training a dropper as a service (DaaS) model. »

Starting late last year, this new variant of dropper malware was discovered infiltrating various Android mobile app strongholds.

While these growing “dropper” attacks may seem novel, there are aspects of these incursions that are quite conventional.

“What’s not new is the hiding of malware in common productivity apps provided by the Google Store,” said James McQuiggan, security awareness advocate at KnowBe4.

“What’s new is a third-party system that delivers malware into apps after they’ve been downloaded,” McQuiggan said. “Cybercriminals are constantly evolving to meet technological and human improvements to evade anti-malware and human firewall. »

By examining the overall history of DawDropper, Trend Micro discovered four types of banking Trojans, including Octo, Hydra, Ermac, and TeaBot.

“All DawDropper variants use a Firebase Realtime Database, a legitimate cloud-hosted NoSQL database to store data, as a command and control (C&C) server and host malicious payloads on GitHub,” according to Trend Micro.

Although these bank droppers have the same main objective – to distribute and install malware on victims’ devices – “we have observed that there are marked differences in the way these bank droppers implement their routines. malware,” according to Trend Micro’s analysis. For example, the bank droppers that launched earlier this year “have hard-coded payload download addresses.”

Meanwhile, banking droppers that were recently launched “tend to hide the actual payload download address, sometimes use third-party services like C&C servers, and use third-party services like GitHub to host malicious payloads,” the Trend Micro study found.

“Financial industries are continually targeted as they hold onto the money,” McQuiggan pointed out. “Cybercriminals find it easier to target users and steal their credentials and work to sell or exploit them to engineer the victim for social money. »

Cybercriminals are constantly finding ways “to evade detection and infect as many devices as possible,” according to Trend Micro. “In six months, we have seen how banking Trojans have evolved their technical routines to avoid detection, such as hiding malicious payloads in droppers. As more and more banking Trojans are made available through DaaS, malicious actors will have an easier and more cost-effective way to distribute malware disguised as legitimate applications.

Trend Micro predicted that the trend would continue, with more banking Trojans being distributed on general application sites like Google Play Store, as well as others.

“As BankDropper targets users, education is always beneficial to increase awareness among bank customers to be skeptical of loading software for apps that have no reviews,” McQuiggan said. “Banks should always ensure multi-factor authentication is enabled and use authenticator apps rather than texting a code. »

Leave a Comment