17 apps found stealing banking, email data, passwords and PINs under ‘DawDropper’ campaign

The company mentioned 17 apps that it found were malicious and covered up as Android apps. These included Just In: Video Motion, Document Scanner Pro, Conquer Darkness, Simpli Cleaner, Unicc QR Scanner. The apps are no longer available on Google Play Store, the cybersecurity firm reported.

Photo: Trend Micro

Using a third-party cloud service called Firebase Realtime Database, it avoids being detected. The same server was used by another dropper called Clast82, that was reported by another cybersecurity firm, CheckPoint last year. Other cybercriminals may also be able to use this service to spread their malware on the app store. The company called it the “dropper-as-a-service (DaaS)” model.

The dropper spread 4 kinds of banking trojans – Octo, Hydra, Ermac, and TeaBot – via its different variants. DawDroppe uses Octo, which can steal banking credentials, text messages and hijack devices. Historically, the same trojan was used against online banking customers in Colombia.

Photo: Trend Micro

The malware gains primary permissions and can keep the device awake without the owner knowing it. It will then schedule the collection of sensitive information which is then uploaded to its server. It can record user screens, take away banking data, emails, passwords and PINs, the company said. It can also avoid detection of the malicious attack by turning off the screen light and volume of the device. Furthermore, it can disable Google Play Protect.

Trend Micro said the malware trend will persist and more banking trojans will be spread in the future. To avoid becoming a victim, users should follow security best practices. These include checking  app reviews for unusual concerns or negative experiences, due diligence when checking out app developers and publishers, avoiding app downloads from suspicious-looking websites and unknown sources.

READ | Google Meet new feature! Users can now livestream meetings on YouTube