3 Aug. (Portaltic/EP) –
TrendMicro has warned that 17 applications that could be installed from the Google Play Store make up the so-called DawDroppera system that remotely downloads the malicious code of banking Trojans onto infected devices.
Researchers from the cybersecurity company first spotted this malicious campaign in late 2021, as you recall in a blog postwhere he anticipates that this ‘malware’ was included in Android applications such as Just In: Video Motion, Document Scanner Pro or Unicc QR Scanner.
Since then, DawDropper has been present in up to 17 applications -which have already been removed from Google Play-, with the aim of remotely downloading the malicious code of up to four variants of banking Trojans (Octo, Hydra, Ermac, and TeaBot) on mobiles in
Trend Micro points out that, to fulfill its purpose, this system used the cloud service, Firebase Realtime Database, owned by Google. Thanks to this, it avoided being detected, while at the same time having access to the download address of the malicious code.
DawDropper also took advantage of it GitHubother third-party service (in this case, owned by microsoft)as an alternative way to obtain the malicious code, which it subsequently proceeded to download to the affected devices.
Once the ‘malware’ was installed on the terminal, the consequences varied depending on the variant of the banking Trojan. To illustrate its ability, TrendMicro gives the example of the ‘malware’ family Oct.
In this case, the application that integrates DawDropper tries to convince the user to grant it the main accessibility permissions, in order to have full control of their system.
Once this power has been obtained, the ‘malware’ may be able to disable certain security filters on the device, such as Google Play Protectthe protection system also present in the Google Play Store, capable of tracking applications to check for malicious behavior.
This Trojan is also capable of keeping the affected device active to collect and download sensitive user information, such as their contact list, other installed ‘apps’ and even text messages, to transfer them to a server. Command and Control (C&C).
Octo malware can also record the screen of the device to record the affected user’s passwords, in addition to their email addresses, their passwords to access other services or their banking credentials.
HOW TO AVOID BEING A VICTIM OF THESE ‘MALWARE’ CAMPAIGNS
From Trend Micro they foresee that, over time, banking Trojans will multiply, since their technical routines have evolved to avoid detection, such as hiding their malicious payloads in dropper models as a service (DaaS).
Given this context, the cybersecurity firm proposes several tips to avoid new victims of these ‘malware’ campaigns, starting with a review of the application’s reviews section to find ratings negative.
It is also advisable to avoid downloading applications or services from unknown sources or suspicious-looking websites, in order to prevent the proliferation of the aforementioned threats.