Banking trojan finds new routes to accounts by infiltrating Google Play Store

An attendee inspects a Nexus 5X phone during a Google media event on September 29, 2015 in San Francisco. (Photo by Justin Sullivan/Getty Images)

According to Trend Micro, banking malware appeared on the Google Play Store this year, showing how this emerging financial Trojan can appear in many places.

According to research by Trend Micro’s mobile team, the so-called “DawDropper” which has recently focused on financial institutions uses malicious “droppers” in order to share and spread its malware payload.

“Malicious actors have surreptitiously added an increasing number of banking Trojans to Google Play Store via malicious droppers this year, proving that such a technique is effective in evading detection,” according to Trend Micro.

“Additionally, as there is a high demand for new ways to distribute mobile malware, several malicious actors claim that their droppers could help other cybercriminals distribute their malware on Google Play Store,” the message continues, “ resulting in a dropper-as-a-service (DaaS) model.”

Late last year, this new drip malware variant was discovered by infiltrating various Android mobile app strongholds.

While these increasing “dropper” attacks may seem novel, some aspects of these incursions are quite conventional.

“What’s not new is the hiding of malware in common productivity apps provided by the Google Store,” said James McQuiggan, security awareness advocate at KnowBe4.

“What’s new is a third-party system that delivers malware into apps after they’ve been downloaded,” McQuiggan said. “Cybercriminals are constantly evolving to meet technological and human improvements to evade anti-malware and human firewall.”

By examining the overall history of DawDropper, Trend Micro discovered four types of banking Trojans, including Octo, Hydra, Ermac, and TeaBot.

“All DawDropper variants use Firebase Real-Time Database, a legitimate cloud-hosted NoSQL database to store data, as a command and control (C&C) server and host malicious payloads on GitHub,” according to Trend Micro.

Although these bank droppers have the same main objective – to distribute and install malware on victims’ devices – “we have observed that there are marked differences in the way these bank droppers implement their malicious routines”, according to Trend Micro analysis. For example, the bank droppers that launched earlier this year “have hard-coded payload download addresses.”

Meanwhile, bank droppers that were recently launched “tend to hide the actual payload download address, sometimes use third-party services as C&C servers, and use third-party services like GitHub to host payloads. useful malware,” Trend Micro said. search found.

“Financial industries are continually targeted because they keep the money,” McQuiggan pointed out. “Cybercriminals find it easier to target users and steal their credentials and work to sell them or exploit them to socially create money for the victim.”

Cybercriminals are constantly finding ways “to evade detection and infect as many devices as possible,” according to Trend Micro. “In the space of six months, we have seen how banking Trojans have evolved their technical routines to avoid detection, such as hiding malicious payloads in droppers. As more and more banking Trojans are made available through DaaS, malicious actors will have an easier and more cost-effective way to distribute malware disguised as legitimate applications.

Trend Micro predicted that the trend would continue, with more banking Trojans being distributed on general application sites like Google Play Store, as well as others.

“As the BankDropper targets users, education is always beneficial to increase awareness among bank customers to be wary of loading software for apps that have no reviews,” McQuiggan said. “Banks should always ensure multi-factor authentication is enabled and use authenticator apps rather than texting a code.”