On July 29, TrendMicro, a well-known security firm, detailed about a new Android malware dubbed as DawDropper banking dropper in a post. This proved once again that Google Play Store is still an attractive platform for cybercriminals to covertly carry out their tasks. The reason could be that attackers found this technique would help them in evading detections. If this trend continues, then the result could be more concerning. This lets multiple cybercriminal groups operate and help each other and create their own dropper-as-a-service (DaaS) model. This is highly important to be aware of such malware activities and protect your Android device from the new DawDropper banking dropper.
We have created this post to let you know how to protect your android device from the new DawDropper banking dropper.
Table of Contents
About The New DawDropper Banking Dropper:
TrendMicro says that their security research team found the New DawDropper banking dropper in a malicious campaign in late 2021. The team said that they found that the dropper was being served in several Android apps pretending as a legitimate Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner.
Threat actors use DawDropper to download and install more sophisticated payloads like Octo malware, a modular and multistage malware that is capable of stealing banking information, intercepting text messages, and hijacking infected devices. Upon launching Octo malware on the victim’s machine, the malware will get the preliminary permission of the device and gather and upload sensitive information such as banking credentials, email addresses and passwords, and PINs to its command and control server.
It’s also said that Octo malware uses virtual network computing (VNC) services to record a user’s screen to capture the information. The analysis also says that the malware turns the screen black by switching the device’s backlight off and muting the sounds to cover its tasks from the user’s eyes. Please see the complete technical analysis in this blog.
Based on our observation, DawDropper has variants that drop four types of banking trojans, including Octo, Hydra, Ermac, and TeaBot. All DawDropper variants use a Firebase Realtime Database, a legitimate cloud-hosted NoSQL database for storing data, as their command-and-control (C&C) server and host malicious payloads on GitHub.
List Of Apps Infected With DawDropper Banking Dropper
The report says that total 17 apps were found infected in Google Play Store. Please see this picture to see the list.
How To Protect Your Android Device From The New DawDropper Banking Dropper?
You can protect your Android device from the new DawDrepper banking dropper in many places.
- Block all the IOCs on your EndPoint and web proxy boxes.
- Don’t install apps from unknown sources.
- Scan your device in Google Play Protect to ensure no malicious apps were installed.
- Delete or Install all the apps catch in the Google Play Protect scan.
- Use a good premium Antivirus or Antimalware software on your devices.
IOCs Of DawDropper Banking Droppe And Their Payloads
IOCs shared by TrendMicro are as below. Please
DawDropper
| SHA-256 | Package name | Release date | Detection name | C&C server | Payload address | Payload family |
| 022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 | com.caduta.aisevsk | 05/01/2021 | AndroidOS_DawDropper.HRX | call-recorder-66f03-default-rtdb[.]firebaseio[.]com | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | Octo |
| e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a | com.vpntool.androidweb | 11/07/2021 | AndroidOS_DawDropper.HRXA | rooster-945d8-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/golgofan.apk | Hydra |
| 8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 | com.j2ca.callrecorder | 11/11/2021 | AndroidOS_DawDropper.HRXA | call-recorder-ad77f-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/gala.apk | Octo |
| 05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 | com.codeword.docscann | 11/21/2021 | AndroidOS_DawDropper.HRXA | doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com | hxxps://github.com/lotterevich/lott/raw/main/maina.apk | TeaBot |
| f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 | com.virtualapps.universalsaver | 12/09/2021 | AndroidOS_DawDropper.HRXA | universalsaverpro-default-rtdb[.]firebaseio[.]com | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | Octo |
| a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb | com.techmediapro.photoediting | 01/04/2022 | AndroidOS_DawDropper.HRXA | eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/lolipop.apk | Hydra |
| eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb | com.chestudio.callrecorder | 01/2022 | AndroidOS_DawDropper.HRXA | call-recorder-pro-371bc-default-rtdb.firebaseio.com | hxxps://github.com/sherrytho/test/raw/main/golgol.apk | Hydra |
| d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 | com.casualplay.leadbro | 04/23/2022 | AndroidOS_DawDropper.HRXA | loader-acb47-default-rtdb[.]firebaseio[.]com | hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk | Hydra |
| b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 | com.utilsmycrypto.mainer | 05/04/2022 | AndroidOS_DawDropper.HRXA | crypto-utils-l-default-rtdb[.]firebaseio[.]com | hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk | Ermac |
| 77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa | com.cleaner.fixgate | 05/14/2022 | AndroidOS_DawDropper.HRXA | fixcleaner-60e32-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/latte.apk | Hydra |
| 5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a | com.olivia.openpuremind | 05/23/2022 | AndroidOS_DawDropper.HRX | crypto-sequence-default-rtdb[.]firebaseio.com | N/A | N/A |
| 0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab | com.myunique.sequencestore | 2022/05/31 | AndroidOS_DawDropper.HRX | coin-flow-a179b-default-rtdb.firebaseio.com | N/A | N/A |
| 2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 | com.flowmysequto.yamer | 05/2022 | AndroidOS_DawDropper.HRX | incrypted-app-default-rtdb.firebaseio.com | N/A | N/A |
| 71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d | com.qaz.universalsaver | 05/2022 | AndroidOS_DawDropper.HRX | saver-9a43a-default-rtdb[.]firebaseio.com | hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk | Ermac |
| 9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 | com.luckyg.cleaner | 06/02/2022 | AndroidOS_DawDropper.HRXA | lucky-cleaner-default-rtdb[.]firebaseio[.]com | hxxps://github.com/gohhas/gate/raw/main/live.apk | Octo |
| ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 | com.scando.qukscanner | 06/28/2022 | AndroidOS_DawDropper.HRX | cleaner-f40c4-default-rtdb[.]firebaseio[.]com | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | Octo |
| 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 | com.qrdscannerratedx | 07/01/2022 | AndroidOS_DawDropper.HRX | Qrscanner-f6d8d-default-rtdb.firebaseio.com | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | Octo |
| 022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 | com.caduta.aisevsk | 05/01/2021 | AndroidOS_DawDropper.HRX | call-recorder-66f03-default-rtdb[.]firebaseio[.]com | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | Octo |
| e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a | com.vpntool.androidweb | 11/07/2021 | AndroidOS_DawDropper.HRXA | rooster-945d8-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/golgofan.apk | Hydra |
| 8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 | com.j2ca.callrecorder | 11/11/2021 | AndroidOS_DawDropper.HRXA | call-recorder-ad77f-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/gala.apk | Octo |
| 05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 | com.codeword.docscann | 11/21/2021 | AndroidOS_DawDropper.HRXA | doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com | hxxps://github.com/lotterevich/lott/raw/main/maina.apk | TeaBot |
| f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 | com.virtualapps.universalsaver | 12/09/2021 | AndroidOS_DawDropper.HRXA | universalsaverpro-default-rtdb[.]firebaseio[.]com | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | Octo |
| a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb | com.techmediapro.photoediting | 01/04/2022 | AndroidOS_DawDropper.HRXA | eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/lolipop.apk | Hydra |
| eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb | com.chestudio.callrecorder | 01/2022 | AndroidOS_DawDropper.HRXA | call-recorder-pro-371bc-default-rtdb.firebaseio.com | hxxps://github.com/sherrytho/test/raw/main/golgol.apk | Hydra |
| d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 | com.casualplay.leadbro | 04/23/2022 | AndroidOS_DawDropper.HRXA | loader-acb47-default-rtdb[.]firebaseio[.]com | hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk | Hydra |
| b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 | com.utilsmycrypto.mainer | 05/04/2022 | AndroidOS_DawDropper.HRXA | crypto-utils-l-default-rtdb[.]firebaseio[.]com | hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk | Ermac |
| 77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa | com.cleaner.fixgate | 05/14/2022 | AndroidOS_DawDropper.HRXA | fixcleaner-60e32-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/latte.apk | Hydra |
| 5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a | com.olivia.openpuremind | 05/23/2022 | AndroidOS_DawDropper.HRX | crypto-sequence-default-rtdb[.]firebaseio.com | N/A | N/A |
| 0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab | com.myunique.sequencestore | 2022/05/31 | AndroidOS_DawDropper.HRX | coin-flow-a179b-default-rtdb.firebaseio.com | N/A | N/A |
| 2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 | com.flowmysequto.yamer | 05/2022 | AndroidOS_DawDropper.HRX | incrypted-app-default-rtdb.firebaseio.com | N/A | N/A |
| 71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d | com.qaz.universalsaver | 05/2022 | AndroidOS_DawDropper.HRX | saver-9a43a-default-rtdb[.]firebaseio.com | hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk | Ermac |
| 9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 | com.luckyg.cleaner | 06/02/2022 | AndroidOS_DawDropper.HRXA | lucky-cleaner-default-rtdb[.]firebaseio[.]com | hxxps://github.com/gohhas/gate/raw/main/live.apk | Octo |
| ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 | com.scando.qukscanner | 06/28/2022 | AndroidOS_DawDropper.HRX | cleaner-f40c4-default-rtdb[.]firebaseio[.]com | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | Octo |
| 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 | com.qrdscannerratedx | 07/01/2022 | AndroidOS_DawDropper.HRX | Qrscanner-f6d8d-default-rtdb.firebaseio.com | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | Octo |
Github Repository
| Repository | Description |
| hxxps://github.com/butcher65/test | GitHub repository hosting the Octo and Hydra banking trojans |
| hxxps://github.com/lotterevich/lott | GitHub repository hosting the TeaBot banking trojan |
| hxxps://github.com/asFirstYouSaid/test | GitHub repository hosting the Ermac banking trojan |
| hxxps://github.com/asFirstYouSaid/awdaw | GitHub repository hosting the Ermac banking trojan |
| hxxps://github.com/gohhas/gate | GitHub repository hosting the Octo banking trojan |
| hxxps://raw.github.com/k6062019/qq | GitHub repository hosting the Octo banking trojan |
| hxxps://github.com/briangreen7667/2705 | GitHub repository hosting the Hydra banking trojan |
| hxxps://github.com/uliaknazeva888/main | GitHub repository hosting the Octo banking trojan |
| hxxps://github.com/kazakovadana44/1.apk | GitHub repository hosting the Octo banking trojan |
| hxxps://github.com/sherrytho/test | GitHub repository hosting the Hydra banking trojan |
Octo Payload
| SHA-256 | Package name | Download address | Detection name |
| 3834eb0ff1a955dab719f2ae6a51114995a7e3bd0ea201fb4f044218fe72ba4e | com.fpkbdpwasnfa | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | AndroidOS_EventBot.GCL |
| 8e9fa712f490b50d13940cc3ab1509566f31627fce8848071a0547bda58ceac8 | com.piecesimplevb | hxxps://github.com/butcher65/test/raw/main/gala.apk | AndroidOS_EventBot.GCL |
| 95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 | com.holdremember0 | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | AndroidOS_EventBot.GCL |
| 95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 | com.holdremember0 | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | AndroidOS_EventBot.GCL |
| f0ee3582856f3f406970530138c06ba3c1c175e9d2dae95e6d3ef3c5ed6dc13a | com.turncani | hxxps://raw.githubusercontent.com/k6062019/qq/main/porc.apk | AndroidOS_EventBot.GCL |
| b16769c154fbb8023ada13cf58a9b289b9643f6cb932afb4dde0189a147d5e11 | com.thinkfinddau | hxxps://github.com/gohhas/gate/raw/main/live.apk | AndroidOS_EventBot.GCL |
| Network indicator | Description |
| vntososupplsos.live | Octo C&C server |
| olopokogulya.site | Backup Octo C&C server |
| nbvb3954.fun | Backup Octo C&C server |
| nbvvvb.hair | Backup Octo C&C server |
| nbvbbn.lol | Backup Octo C&C server |
| nbvber.makeup | Backup Octo C&C server |
| nbvbsd.mom | Backup Octo C&C server |
| nbvbwe.monster | Backup Octo C&C server |
| nbvb.one | Backup Octo C&C server |
| vbnbvb.online | Backup Octo C&C server |
| ccnbvb.pics | Backup Octo C&C server |
| xxnbvb.quest | Backup Octo C&C server |
| eenbvb.sbs | Backup Octo C&C server |
| asqwnbvb.shop | Backup Octo C&C server |
| qwnbvb.skin | Backup Octo C&C server |
| qqnbvb.space | Backup Octo C&C server |
| wwerenbvb.store | Backup Octo C&C serve |
Ermac Payload
| SHA-256 | Package name | Download address | Detection Name |
| cdf66b98f90a9e83b204bf2bb28915784f9e9ad4d2fb86648d1d1f7d3152dadd | com.ceveluriseze.xuca | hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk | AndroidOS_Anubis.GCL |
| 71927786fc16e90fe05e1eb032c3591d878c7cfd197d02113d7d006e2d7b171f | com.ceveluriseze.xuca | hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk | AndroidOS_Anubis.GCL |
| Network indicator | Description |
| 193.106.191.121:3435 | Ermac C&C server |
Hydra Payload
| SHA-256 | Package name | Download address | Detection name |
| 3194e25f89540e98698bcd221c8a5dbfe4658ac14fd7e7cf7c29299f3675fcdd | com.bulb.crush | hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk | AndroidOS_Anubis.GCL |
| 93c5e98c06963c8a320f5876148ad45fb6cce1a40a7aaee195cfa5027e19426b | com.alley.work | hxxps://github.com/butcher65/test/raw/main/latte.apk | AndroidOS_Anubis.GCL |
| 9c9bc75ce675754c655b0757a8655ff50186b1626862bcb5b8200c4047f3ab3c | com.risk.better | hxxps://github.com/butcher65/test/raw/main/lolipop.apk | AndroidOS_Anubis.GCL |
| ad84c798e3c30ad941b37aababeb8edfaf52f13c0c7d32bfa96c4b989b135a8b | com.plug.follow | hxxps://github.com/butcher65/test/raw/main/golgofan.apk | AndroidOS_Anubis.GCL |
| 7e95e9a306886dadbae68c586bf19eec6903bac15290fd60c47d29a2e3cbf047 | com.tunnel.voyage | https://github.com/sherrytho/test/raw/main/golgol.apk | AndroidOS_Anubis.GCL |
Teabot Payload
| SHA-256 | Package name | Download address | Detection name |
| aea39ddf59ae764c40211a4d0e9c10514b37a9bbabf5b528de4cb7d2574b732b | com.bthlu.xnbhp | hxxps://github.com/lotterevich/lott/raw/main/maina.apk | AndroidOS_Toddler.GCL |
We hope this post will help you know how to protect your android device from the new DawDropper banking dropper. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this
Keep Reading:
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/278429.html