• Home
  • |
  • Blog
  • |
  • How To Protect Your Android Device From The New DawDropper Banking Dropper?
How to Protect Your Android Device From the New DawDropper Banking Dropper

On July 29, TrendMicro, a well-known security firm, detailed about a new Android malware dubbed as DawDropper banking dropper in a post. This proved once again that Google Play Store is still an attractive platform for cybercriminals to covertly carry out their tasks. The reason could be that attackers found this technique would help them in evading detections. If this trend continues, then the result could be more concerning. This lets multiple cybercriminal groups operate and help each other and create their own dropper-as-a-service (DaaS) model. This is highly important to be aware of such malware activities and protect your Android device from the new DawDropper banking dropper.

We have created this post to let you know how to protect your android device from the new DawDropper banking dropper.

About The New DawDropper Banking Dropper:

TrendMicro says that their security research team found the New DawDropper banking dropper in a malicious campaign in late 2021. The team said that they found that the dropper was being served in several Android apps pretending as a legitimate Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner.

Threat actors use DawDropper to download and install more sophisticated payloads like Octo malware, a modular and multistage malware that is capable of stealing banking information, intercepting text messages, and hijacking infected devices. Upon launching Octo malware on the victim’s machine, the malware will get the preliminary permission of the device and gather and upload sensitive information such as banking credentials, email addresses and passwords, and PINs to its command and control server.

It’s also said that Octo malware uses virtual network computing (VNC) services to record a user’s screen to capture the information. The analysis also says that the malware turns the screen black by switching the device’s backlight off and muting the sounds to cover its tasks from the user’s eyes. Please see the complete technical analysis in this blog.

Figure 1: Picture of DawDropper infection chain created by TrendMicro

Based on our observation, DawDropper has variants that drop four types of banking trojans, including Octo, Hydra, Ermac, and TeaBot. All DawDropper variants use a Firebase Realtime Database, a legitimate cloud-hosted NoSQL database for storing data, as their command-and-control (C&C) server and host malicious payloads on GitHub.

List Of Apps Infected With DawDropper Banking Dropper

The report says that total 17 apps were found infected in Google Play Store.  Please see this picture to see the list.

Figure 2: List of Apps infected with DawDropper Banking Dropper taken from TheHackersNews

How To Protect Your Android Device From The New DawDropper Banking Dropper?

You can protect your Android device from the new DawDrepper banking dropper in many places. 

  1. Block all the IOCs on your EndPoint and web proxy boxes.
  2. Don’t install apps from unknown sources.
  3. Scan your device in Google Play Protect to ensure no malicious apps were installed.
  4. Delete or Install all the apps catch in the Google Play Protect scan.
  5. Use a good premium Antivirus or Antimalware software on your devices. 

IOCs Of DawDropper Banking Droppe And Their Payloads

IOCs shared by TrendMicro are as below. Please

DawDropper

SHA-256Package nameRelease dateDetection nameC&C serverPayload addressPayload family
022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91com.caduta.aisevsk05/01/2021AndroidOS_DawDropper.HRXcall-recorder-66f03-default-rtdb[.]firebaseio[.]comhxxps://github.com/uliaknazeva888/qs/raw/main/1.apkOcto
e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23acom.vpntool.androidweb11/07/2021AndroidOS_DawDropper.HRXArooster-945d8-default-rtdb[.]firebaseio[.]comhxxps://github.com/butcher65/test/raw/main/golgofan.apkHydra
8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637com.j2ca.callrecorder11/11/2021AndroidOS_DawDropper.HRXAcall-recorder-ad77f-default-rtdb[.]firebaseio[.]comhxxps://github.com/butcher65/test/raw/main/gala.apkOcto
05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08com.codeword.docscann11/21/2021AndroidOS_DawDropper.HRXAdoc-scanner-cff1d-default-rtdb[.]firebaseio[.]comhxxps://github.com/lotterevich/lott/raw/main/maina.apkTeaBot
f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271com.virtualapps.universalsaver12/09/2021AndroidOS_DawDropper.HRXAuniversalsaverpro-default-rtdb[.]firebaseio[.]comhxxps://github.com/uliaknazeva888/qs/raw/main/1.apkOcto
a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810ebcom.techmediapro.photoediting01/04/2022AndroidOS_DawDropper.HRXAeaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]comhxxps://github.com/butcher65/test/raw/main/lolipop.apkHydra
eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fbcom.chestudio.callrecorder01/2022AndroidOS_DawDropper.HRXAcall-recorder-pro-371bc-default-rtdb.firebaseio.comhxxps://github.com/sherrytho/test/raw/main/golgol.apk Hydra
d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42com.casualplay.leadbro04/23/2022AndroidOS_DawDropper.HRXAloader-acb47-default-rtdb[.]firebaseio[.]comhxxps://github.com/briangreen7667/2705/raw/main/addon2.apkHydra
b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58com.utilsmycrypto.mainer05/04/2022AndroidOS_DawDropper.HRXAcrypto-utils-l-default-rtdb[.]firebaseio[.]comhxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apkErmac
77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aacom.cleaner.fixgate05/14/2022AndroidOS_DawDropper.HRXAfixcleaner-60e32-default-rtdb[.]firebaseio[.]comhxxps://github.com/butcher65/test/raw/main/latte.apkHydra
5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8acom.olivia.openpuremind05/23/2022AndroidOS_DawDropper.HRXcrypto-sequence-default-rtdb[.]firebaseio.comN/A N/A
0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4abcom.myunique.sequencestore2022/05/31AndroidOS_DawDropper.HRXcoin-flow-a179b-default-rtdb.firebaseio.com N/A N/A
2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8com.flowmysequto.yamer05/2022AndroidOS_DawDropper.HRXincrypted-app-default-rtdb.firebaseio.com N/A N/A
71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11dcom.qaz.universalsaver05/2022AndroidOS_DawDropper.HRXsaver-9a43a-default-rtdb[.]firebaseio.comhxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apkErmac
9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461com.luckyg.cleaner06/02/2022AndroidOS_DawDropper.HRXAlucky-cleaner-default-rtdb[.]firebaseio[.]comhxxps://github.com/gohhas/gate/raw/main/live.apkOcto
ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02com.scando.qukscanner06/28/2022AndroidOS_DawDropper.HRXcleaner-f40c4-default-rtdb[.]firebaseio[.]comhxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apkOcto
02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4com.qrdscannerratedx07/01/2022AndroidOS_DawDropper.HRXQrscanner-f6d8d-default-rtdb.firebaseio.comhxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apkOcto
022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91com.caduta.aisevsk05/01/2021AndroidOS_DawDropper.HRXcall-recorder-66f03-default-rtdb[.]firebaseio[.]comhxxps://github.com/uliaknazeva888/qs/raw/main/1.apkOcto
e1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23acom.vpntool.androidweb11/07/2021AndroidOS_DawDropper.HRXArooster-945d8-default-rtdb[.]firebaseio[.]comhxxps://github.com/butcher65/test/raw/main/golgofan.apkHydra
8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637com.j2ca.callrecorder11/11/2021AndroidOS_DawDropper.HRXAcall-recorder-ad77f-default-rtdb[.]firebaseio[.]comhxxps://github.com/butcher65/test/raw/main/gala.apkOcto
05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08com.codeword.docscann11/21/2021AndroidOS_DawDropper.HRXAdoc-scanner-cff1d-default-rtdb[.]firebaseio[.]comhxxps://github.com/lotterevich/lott/raw/main/maina.apkTeaBot
f4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271com.virtualapps.universalsaver12/09/2021AndroidOS_DawDropper.HRXAuniversalsaverpro-default-rtdb[.]firebaseio[.]comhxxps://github.com/uliaknazeva888/qs/raw/main/1.apkOcto
a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810ebcom.techmediapro.photoediting01/04/2022AndroidOS_DawDropper.HRXAeaglephotoeditor-2d4e5-default-rtdb[.]firebaseio[.]comhxxps://github.com/butcher65/test/raw/main/lolipop.apkHydra
eb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fbcom.chestudio.callrecorder01/2022AndroidOS_DawDropper.HRXAcall-recorder-pro-371bc-default-rtdb.firebaseio.comhxxps://github.com/sherrytho/test/raw/main/golgol.apk Hydra
d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42com.casualplay.leadbro04/23/2022AndroidOS_DawDropper.HRXAloader-acb47-default-rtdb[.]firebaseio[.]comhxxps://github.com/briangreen7667/2705/raw/main/addon2.apkHydra
b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58com.utilsmycrypto.mainer05/04/2022AndroidOS_DawDropper.HRXAcrypto-utils-l-default-rtdb[.]firebaseio[.]comhxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apkErmac
77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aacom.cleaner.fixgate05/14/2022AndroidOS_DawDropper.HRXAfixcleaner-60e32-default-rtdb[.]firebaseio[.]comhxxps://github.com/butcher65/test/raw/main/latte.apkHydra
5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8acom.olivia.openpuremind05/23/2022AndroidOS_DawDropper.HRXcrypto-sequence-default-rtdb[.]firebaseio.comN/A N/A
0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4abcom.myunique.sequencestore2022/05/31AndroidOS_DawDropper.HRXcoin-flow-a179b-default-rtdb.firebaseio.com N/A N/A
2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8com.flowmysequto.yamer05/2022AndroidOS_DawDropper.HRXincrypted-app-default-rtdb.firebaseio.com N/A N/A
71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11dcom.qaz.universalsaver05/2022AndroidOS_DawDropper.HRXsaver-9a43a-default-rtdb[.]firebaseio.comhxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apkErmac
9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461com.luckyg.cleaner06/02/2022AndroidOS_DawDropper.HRXAlucky-cleaner-default-rtdb[.]firebaseio[.]comhxxps://github.com/gohhas/gate/raw/main/live.apkOcto
ff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02com.scando.qukscanner06/28/2022AndroidOS_DawDropper.HRXcleaner-f40c4-default-rtdb[.]firebaseio[.]comhxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apkOcto
02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4com.qrdscannerratedx07/01/2022AndroidOS_DawDropper.HRXQrscanner-f6d8d-default-rtdb.firebaseio.comhxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apkOcto

Github Repository

RepositoryDescription
hxxps://github.com/butcher65/testGitHub repository hosting the Octo and Hydra banking trojans
hxxps://github.com/lotterevich/lottGitHub repository hosting the TeaBot banking trojan
hxxps://github.com/asFirstYouSaid/testGitHub repository hosting the Ermac banking trojan
hxxps://github.com/asFirstYouSaid/awdawGitHub repository hosting the Ermac banking trojan
hxxps://github.com/gohhas/gateGitHub repository hosting the Octo banking trojan
hxxps://raw.github.com/k6062019/qqGitHub repository hosting the Octo banking trojan
hxxps://github.com/briangreen7667/2705GitHub repository hosting the Hydra banking trojan
hxxps://github.com/uliaknazeva888/mainGitHub repository hosting the Octo banking trojan
hxxps://github.com/kazakovadana44/1.apkGitHub repository hosting the Octo banking trojan
hxxps://github.com/sherrytho/testGitHub repository hosting the Hydra banking trojan

Octo Payload

SHA-256Package nameDownload addressDetection name
3834eb0ff1a955dab719f2ae6a51114995a7e3bd0ea201fb4f044218fe72ba4e com.fpkbdpwasnfa hxxps://github.com/uliaknazeva888/qs/raw/main/1.apkAndroidOS_EventBot.GCL
8e9fa712f490b50d13940cc3ab1509566f31627fce8848071a0547bda58ceac8com.piecesimplevbhxxps://github.com/butcher65/test/raw/main/gala.apkAndroidOS_EventBot.GCL
95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823com.holdremember0hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apkAndroidOS_EventBot.GCL
95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823com.holdremember0hxxps://raw.githubusercontent.com/k6062019/qq/main/clown.apkAndroidOS_EventBot.GCL
f0ee3582856f3f406970530138c06ba3c1c175e9d2dae95e6d3ef3c5ed6dc13acom.turncani hxxps://raw.githubusercontent.com/k6062019/qq/main/porc.apkAndroidOS_EventBot.GCL
b16769c154fbb8023ada13cf58a9b289b9643f6cb932afb4dde0189a147d5e11 com.thinkfinddau hxxps://github.com/gohhas/gate/raw/main/live.apkAndroidOS_EventBot.GCL
Network indicatorDescription
vntososupplsos.liveOcto C&C server
olopokogulya.siteBackup Octo C&C server
nbvb3954.funBackup Octo C&C server
nbvvvb.hairBackup Octo C&C server
nbvbbn.lolBackup Octo C&C server
nbvber.makeupBackup Octo C&C server
nbvbsd.momBackup Octo C&C server
nbvbwe.monsterBackup Octo C&C server
nbvb.oneBackup Octo C&C server
vbnbvb.onlineBackup Octo C&C server
ccnbvb.picsBackup Octo C&C server
xxnbvb.questBackup Octo C&C server
eenbvb.sbsBackup Octo C&C server
asqwnbvb.shopBackup Octo C&C server
qwnbvb.skinBackup Octo C&C server
qqnbvb.spaceBackup Octo C&C server
wwerenbvb.storeBackup Octo C&C serve

Ermac Payload

SHA-256Package nameDownload addressDetection Name
cdf66b98f90a9e83b204bf2bb28915784f9e9ad4d2fb86648d1d1f7d3152daddcom.ceveluriseze.xucahxxps://raw.githubusercontent.com/asFirstYouSaid/awdaw/main/Xnode_new.apk hxxps://raw.githubusercontent.com/asFirstYouSaid/test/main/GoogleMaps%20(2)_obf.apk AndroidOS_Anubis.GCL
71927786fc16e90fe05e1eb032c3591d878c7cfd197d02113d7d006e2d7b171fcom.ceveluriseze.xuca hxxps://github.com/asFirstYouSaid/test/raw/main/110.apk hxxps://github.com/asFirstYouSaid/test/raw/main/SecureChat%20(1).apkAndroidOS_Anubis.GCL    
Network indicatorDescription
193.106.191.121:3435Ermac C&C server

Hydra Payload

SHA-256Package nameDownload addressDetection name
3194e25f89540e98698bcd221c8a5dbfe4658ac14fd7e7cf7c29299f3675fcddcom.bulb.crushhxxps://github.com/briangreen7667/2705/raw/main/addon2.apkAndroidOS_Anubis.GCL
93c5e98c06963c8a320f5876148ad45fb6cce1a40a7aaee195cfa5027e19426b com.alley.workhxxps://github.com/butcher65/test/raw/main/latte.apk AndroidOS_Anubis.GCL
9c9bc75ce675754c655b0757a8655ff50186b1626862bcb5b8200c4047f3ab3c com.risk.betterhxxps://github.com/butcher65/test/raw/main/lolipop.apk AndroidOS_Anubis.GCL 
ad84c798e3c30ad941b37aababeb8edfaf52f13c0c7d32bfa96c4b989b135a8bcom.plug.follow hxxps://github.com/butcher65/test/raw/main/golgofan.apkAndroidOS_Anubis.GCL 
7e95e9a306886dadbae68c586bf19eec6903bac15290fd60c47d29a2e3cbf047 com.tunnel.voyage https://github.com/sherrytho/test/raw/main/golgol.apk AndroidOS_Anubis.GCL

Teabot Payload

SHA-256Package nameDownload addressDetection name
aea39ddf59ae764c40211a4d0e9c10514b37a9bbabf5b528de4cb7d2574b732bcom.bthlu.xnbhphxxps://github.com/lotterevich/lott/raw/main/maina.apkAndroidOS_Toddler.GCL  

We hope this post will help you know how to protect your android device from the new DawDropper banking dropper. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.