Table of Contents
August 2, 2022
|6m
How To Protect Your Android Device From The New DawDropper Banking Dropper?
On July 29, TrendMicro, a well-known security firm, detailed about a new Android malware dubbed as DawDropper banking dropper in a post. This proved once again that Google Play Store is still an attractive platform for cybercriminals to covertly carry out their tasks. The reason could be that attackers found this technique would help them in evading detections. If this trend continues, then the result could be more concerning. This lets multiple cybercriminal groups operate and help each other and create their own
model. This is highly important to be aware of such malware activities and protect your Android device from the new DawDropper banking dropper.
We have created this post to let you know how to protect your android device from the new DawDropper banking dropper.
About The New DawDropper Banking Dropper:
TrendMicro says that their security research team found the New DawDropper banking dropper in a malicious campaign in late 2021. The team said that they found that the dropper was being served in several Android apps pretending as a legitimate Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner.
Threat actors use DawDropper to download and install more sophisticated payloads like Octo malware, a modular and multistage malware that is capable of stealing banking information, intercepting text messages, and hijacking infected devices. Upon launching Octo malware on the victim’s machine, the malware will get the preliminary permission of the device and gather and upload sensitive information such as banking credentials, email addresses and passwords, and PINs to its command and control server.
It’s also said that Octo malware uses virtual network computing (VNC) services to record a user’s screen to capture the information. The analysis also says that the malware turns the screen black by switching the device’s backlight off and muting the sounds to cover its tasks from the user’s eyes. Please see the complete technical analysis in this blog.
Figure 1: Picture of DawDropper infection chain created by TrendMicro
Based on our observation, DawDropper has variants that drop four types of banking trojans, including Octo, Hydra, Ermac, and TeaBot. All DawDropper variants use a Firebase Realtime Database, a legitimate cloud-hosted NoSQL database for storing data, as their command-and-control (C&C) server and host malicious payloads on GitHub.
List Of Apps Infected With DawDropper Banking Dropper
The report says that total 17 apps were found infected in Google Play Store. Please see this picture to see the list.
Figure 2: List of Apps infected with DawDropper Banking Dropper taken from TheHackersNews
How To Protect Your Android Device From The New DawDropper Banking Dropper?
You can protect your Android device from the new DawDrepper banking dropper in many places.
Block all the IOCs on your EndPoint and web proxy boxes.
Don’t install apps from unknown sources.
Scan your device in Google Play Protect to ensure no malicious apps were installed.
Delete or Install all the apps catch in the Google Play Protect scan.
Use a good premium Antivirus or Antimalware software on your devices.
IOCs Of DawDropper Banking Droppe And Their Payloads
IOCs shared by TrendMicro are as below. Please
DawDropper
| SHA-256 | Package name | Release date | Detection name | C&C server | Payload address | Payload family |
| 022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 | com.caduta.aisevsk | 05/01/2021 | AndroidOS_DawDropper.HRX | call-recorder-66f03-default-rtdb[.]firebaseio[.]com | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | Octo |
| e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a | com.vpntool.androidweb | 11/07/2021 | AndroidOS_DawDropper.HRXA | rooster-945d8-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/golgofan.apk | Hydra |
| 8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 | com.j2ca.callrecorder | 11/11/2021 | AndroidOS_DawDropper.HRXA | call-recorder-ad77f-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/gala.apk | Octo |
| 05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 | com.codeword.docscann | 11/21/2021 | AndroidOS_DawDropper.HRXA | doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com | hxxps://github.com/lotterevich/lott/raw/main/maina.apk | TeaBot |
| f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 | com.virtualapps.universalsaver | 12/09/2021 | AndroidOS_DawDropper.HRXA | universalsaverpro-default-rtdb[.]firebaseio[.]com | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | Octo |
| a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb | com.techmediapro.photoediting | 01/04/2022 | AndroidOS_DawDropper.HRXA | eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/lolipop.apk | Hydra |
| eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb | com.chestudio.callrecorder | 01/2022 | AndroidOS_DawDropper.HRXA | call-recorder-pro-371bc-default-rtdb.firebaseio.com | hxxps://github.com/sherrytho/test/raw/main/golgol.apk | Hydra |
| d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 | com.casualplay.leadbro | 04/23/2022 | AndroidOS_DawDropper.HRXA | loader-acb47-default-rtdb[.]firebaseio[.]com | hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk | Hydra |
| b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 | com.utilsmycrypto.mainer | 05/04/2022 | AndroidOS_DawDropper.HRXA | crypto-utils-l-default-rtdb[.]firebaseio[.]com | hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk | Ermac |
| 77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa | com.cleaner.fixgate | 05/14/2022 | AndroidOS_DawDropper.HRXA | fixcleaner-60e32-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/latte.apk | Hydra |
| 5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a | com.olivia.openpuremind | 05/23/2022 | AndroidOS_DawDropper.HRX | crypto-sequence-default-rtdb[.]firebaseio.com | N/A | N/A |
| 0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab | com.myunique.sequencestore | 2022/05/31 | AndroidOS_DawDropper.HRX | coin-flow-a179b-default-rtdb.firebaseio.com | N/A | N/A |
| 2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 | com.flowmysequto.yamer | 05/2022 | AndroidOS_DawDropper.HRX | incrypted-app-default-rtdb.firebaseio.com | N/A | N/A |
| 71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d | com.qaz.universalsaver | 05/2022 | AndroidOS_DawDropper.HRX | saver-9a43a-default-rtdb[.]firebaseio.com | hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk | Ermac |
| 9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 | com.luckyg.cleaner | 06/02/2022 | AndroidOS_DawDropper.HRXA | lucky-cleaner-default-rtdb[.]firebaseio[.]com | hxxps://github.com/gohhas/gate/raw/main/live.apk | Octo |
| ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 | com.scando.qukscanner | 06/28/2022 | AndroidOS_DawDropper.HRX | cleaner-f40c4-default-rtdb[.]firebaseio[.]com | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | Octo |
| 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 | com.qrdscannerratedx | 07/01/2022 | AndroidOS_DawDropper.HRX | Qrscanner-f6d8d-default-rtdb.firebaseio.com | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | Octo |
| 022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 | com.caduta.aisevsk | 05/01/2021 | AndroidOS_DawDropper.HRX | call-recorder-66f03-default-rtdb[.]firebaseio[.]com | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | Octo |
| e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a | com.vpntool.androidweb | 11/07/2021 | AndroidOS_DawDropper.HRXA | rooster-945d8-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/golgofan.apk | Hydra |
| 8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 | com.j2ca.callrecorder | 11/11/2021 | AndroidOS_DawDropper.HRXA | call-recorder-ad77f-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/gala.apk | Octo |
| 05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 | com.codeword.docscann | 11/21/2021 | AndroidOS_DawDropper.HRXA | doc-scanner-cff1d-default-rtdb[.]firebaseio[.]com | hxxps://github.com/lotterevich/lott/raw/main/maina.apk | TeaBot |
| f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 | com.virtualapps.universalsaver | 12/09/2021 | AndroidOS_DawDropper.HRXA | universalsaverpro-default-rtdb[.]firebaseio[.]com | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | Octo |
| a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb | com.techmediapro.photoediting | 01/04/2022 | AndroidOS_DawDropper.HRXA | eaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/lolipop.apk | Hydra |
| eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb | com.chestudio.callrecorder | 01/2022 | AndroidOS_DawDropper.HRXA | call-recorder-pro-371bc-default-rtdb.firebaseio.com | hxxps://github.com/sherrytho/test/raw/main/golgol.apk | Hydra |
| d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 | com.casualplay.leadbro | 04/23/2022 | AndroidOS_DawDropper.HRXA | loader-acb47-default-rtdb[.]firebaseio[.]com | hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk | Hydra |
| b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 | com.utilsmycrypto.mainer | 05/04/2022 | AndroidOS_DawDropper.HRXA | crypto-utils-l-default-rtdb[.]firebaseio[.]com | hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk | Ermac |
| 77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa | com.cleaner.fixgate | 05/14/2022 | AndroidOS_DawDropper.HRXA | fixcleaner-60e32-default-rtdb[.]firebaseio[.]com | hxxps://github.com/butcher65/test/raw/main/latte.apk | Hydra |
| 5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a | com.olivia.openpuremind | 05/23/2022 | AndroidOS_DawDropper.HRX | crypto-sequence-default-rtdb[.]firebaseio.com | N/A | N/A |
| 0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab | com.myunique.sequencestore | 2022/05/31 | AndroidOS_DawDropper.HRX | coin-flow-a179b-default-rtdb.firebaseio.com | N/A | N/A |
| 2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 | com.flowmysequto.yamer | 05/2022 | AndroidOS_DawDropper.HRX | incrypted-app-default-rtdb.firebaseio.com | N/A | N/A |
| 71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d | com.qaz.universalsaver | 05/2022 | AndroidOS_DawDropper.HRX | saver-9a43a-default-rtdb[.]firebaseio.com | hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk | Ermac |
| 9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 | com.luckyg.cleaner | 06/02/2022 | AndroidOS_DawDropper.HRXA | lucky-cleaner-default-rtdb[.]firebaseio[.]com | hxxps://github.com/gohhas/gate/raw/main/live.apk | Octo |
| ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 | com.scando.qukscanner | 06/28/2022 | AndroidOS_DawDropper.HRX | cleaner-f40c4-default-rtdb[.]firebaseio[.]com | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | Octo |
| 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 | com.qrdscannerratedx | 07/01/2022 | AndroidOS_DawDropper.HRX | Qrscanner-f6d8d-default-rtdb.firebaseio.com | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | Octo |
Github Repository
| Repository | Description |
| hxxps://github.com/butcher65/test | GitHub repository hosting the Octo and Hydra banking trojans |
| hxxps://github.com/lotterevich/lott | GitHub repository hosting the TeaBot banking trojan |
| hxxps://github.com/asFirstYouSaid/test | GitHub repository hosting the Ermac banking trojan |
| hxxps://github.com/asFirstYouSaid/awdaw | GitHub repository hosting the Ermac banking trojan |
| hxxps://github.com/gohhas/gate | GitHub repository hosting the Octo banking trojan |
| hxxps://raw.github.com/k6062019/qq | GitHub repository hosting the Octo banking trojan |
| hxxps://github.com/briangreen7667/2705 | GitHub repository hosting the Hydra banking trojan |
| hxxps://github.com/uliaknazeva888/main | GitHub repository hosting the Octo banking trojan |
| hxxps://github.com/kazakovadana44/1.apk | GitHub repository hosting the Octo banking trojan |
| hxxps://github.com/sherrytho/test | GitHub repository hosting the Hydra banking trojan |
Octo Payload
| SHA-256 | Package name | Download address | Detection name |
| 3834eb0ff1a955dab719f2ae6a51114995a7e3bd0ea201fb4f044218fe72ba4e | com.fpkbdpwasnfa | hxxps://github.com/uliaknazeva888/qs/raw/main/1.apk | AndroidOS_EventBot.GCL |
| 8e9fa712f490b50d13940cc3ab1509566f31627fce8848071a0547bda58ceac8 | com.piecesimplevb | hxxps://github.com/butcher65/test/raw/main/gala.apk | AndroidOS_EventBot.GCL |
| 95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 | com.holdremember0 | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | AndroidOS_EventBot.GCL |
| 95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 | com.holdremember0 | hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apk | AndroidOS_EventBot.GCL |
| f0ee3582856f3f406970530138c06ba3c1c175e9d2dae95e6d3ef3c5ed6dc13a | com.turncani | hxxps://raw.githubusercontent.com/k6062019/qq/main/porc.apk | AndroidOS_EventBot.GCL |
| b16769c154fbb8023ada13cf58a9b289b9643f6cb932afb4dde0189a147d5e11 | com.thinkfinddau | hxxps://github.com/gohhas/gate/raw/main/live.apk | AndroidOS_EventBot.GCL |
| Network indicator | Description |
| vntososupplsos.live | Octo C&C server |
| olopokogulya.site | Backup Octo C&C server |
| nbvb3954.fun | Backup Octo C&C server |
| nbvvvb.hair | Backup Octo C&C server |
| nbvbbn.lol | Backup Octo C&C server |
| nbvber.makeup | Backup Octo C&C server |
| nbvbsd.mom | Backup Octo C&C server |
| nbvbwe.monster | Backup Octo C&C server |
| nbvb.one | Backup Octo C&C server |
| vbnbvb.online | Backup Octo C&C server |
| ccnbvb.pics | Backup Octo C&C server |
| xxnbvb.quest | Backup Octo C&C server |
| eenbvb.sbs | Backup Octo C&C server |
| asqwnbvb.shop | Backup Octo C&C server |
| qwnbvb.skin | Backup Octo C&C server |
| qqnbvb.space | Backup Octo C&C server |
| wwerenbvb.store | Backup Octo C&C serve |
Ermac Payload
| SHA-256 | Package name | Download address | Detection Name |
| cdf66b98f90a9e83b204bf2bb28915784f9e9ad4d2fb86648d1d1f7d3152dadd | com.ceveluriseze.xuca | hxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk | AndroidOS_Anubis.GCL |
| 71927786fc16e90fe05e1eb032c3591d878c7cfd197d02113d7d006e2d7b171f | com.ceveluriseze.xuca | hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apk | AndroidOS_Anubis.GCL |
| Network indicator | Description |
| 193.106.191.121:3435 | Ermac C&C server |
Hydra Payload
| SHA-256 | Package name | Download address | Detection name |
| 3194e25f89540e98698bcd221c8a5dbfe4658ac14fd7e7cf7c29299f3675fcdd | com.bulb.crush | hxxps://github.com/briangreen7667/2705/raw/main/addon2.apk | AndroidOS_Anubis.GCL |
| 93c5e98c06963c8a320f5876148ad45fb6cce1a40a7aaee195cfa5027e19426b | com.alley.work | hxxps://github.com/butcher65/test/raw/main/latte.apk | AndroidOS_Anubis.GCL |
| 9c9bc75ce675754c655b0757a8655ff50186b1626862bcb5b8200c4047f3ab3c | com.risk.better | hxxps://github.com/butcher65/test/raw/main/lolipop.apk | AndroidOS_Anubis.GCL |
| ad84c798e3c30ad941b37aababeb8edfaf52f13c0c7d32bfa96c4b989b135a8b | com.plug.follow | hxxps://github.com/butcher65/test/raw/main/golgofan.apk | AndroidOS_Anubis.GCL |
| 7e95e9a306886dadbae68c586bf19eec6903bac15290fd60c47d29a2e3cbf047 | com.tunnel.voyage | https://github.com/sherrytho/test/raw/main/golgol.apk | AndroidOS_Anubis.GCL |
Teabot Payload
| SHA-256 | Package name | Download address | Detection name |
| aea39ddf59ae764c40211a4d0e9c10514b37a9bbabf5b528de4cb7d2574b732b | com.bthlu.xnbhp | hxxps://github.com/lotterevich/lott/raw/main/maina.apk | AndroidOS_Toddler.GCL |
We hope this post would help you know how to protect your android device from the new DawDropper banking dropper. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this
You may also like these articles:
How To Protect Your Android Device From The New BrazKing Android Malware?
Protect Your Android Phone From Malicious Apps On Huawei's AppGallery
9 New Fake Apps on the Play Store Which Can Hijack SMS Notifications to Carry Out Billing Fraud
Secure Your Smartphone Now: The 6 Best Apps to Keep Your Android & iOS Devices Safe!
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- November 20, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- November 20, 2024
