Application security, Endpoint/Device Security, Malware, Threat Management

Banking trojan finds new routes to accounts by infiltrating Google Play Store

A person inspects a Nexus 5X phone
An attendee inspects a Nexus 5X phone during a Google media event on Sept. 29, 2015, in San Francisco. (Photo by Justin Sullivan/Getty Images)

Banking dropper malware has surfaced on the Google Play Store this year, showing how this emerging financial trojan can crop up in many places, according to Trend Micro.

The so-called "DawDropper" that has been focused on financial institutions of late utilizes malicious "droppers" in order to share and spread its malware payload, according to research from Trend Micro’s mobile team.

“Malicious actors have been surreptitiously adding a growing number of banking trojans to Google Play Store via malicious droppers this year, proving that such a technique is effective in evading detection,” according to Trend Micro.

“Additionally, because there is a high demand for novel ways to distribute mobile malware, several malicious actors claim that their droppers could help other cybercriminals disseminate their malware on Google Play Store,” the post continued, “resulting in a dropper-as-a-service (DaaS) model.”

Beginning late last year, this new dropper-malware variant was discovered infiltrating various Android mobile application strongholds.

While these increasing "dropper" attacks might seem novel, there are aspects to these incursions that are quite conventional.

“What's not new is the masking of the malware within common productivity apps that the Google store provides," said James McQuiggan, security awareness advocate at KnowBe4.

“What is new is a third-party system that provides malware into the apps after they've been downloaded,” McQuiggan said. “Cybercriminals are constantly evolving to meet the technological and human improvements to evade anti-malware and the human firewall.”

Reviewing the over-arching DawDropper history, Trend Micro discovered four types of banking trojans, including Octo, Hydra, Ermac, and TeaBot.

“All DawDropper variants use a Firebase Realtime Database, a legitimate cloud-hosted NoSQL database for storing data, as their command-and-control (C&C) server and host malicious payloads on GitHub,” according to Trend Micro.

Although these banking droppers have the same main objective — to distribute and install malware on victims’ devices — “we have observed that there are marked differences in how these banking droppers implement their malicious routines,” according to Trend Micro’s analysis. For example, the banking droppers that were launched earlier this year “have hard-coded payload download addresses.”

Meanwhile, the banking droppers that have been recently launched “tend to hide the actual payload download address, at times use third-party services as their C&C servers, and use third-party services such as GitHub to host malicious payloads,” the Trend Micro research found.

“The financial industries are continuously targeted as they guard the money,” McQuiggan pointed out. “Cybercriminals find it easier to target the users and steal their credentials and work to sell them or leverage it to engineer the victim for money socially.”

Cybercriminals are constantly finding ways to “evade detection and infect as many devices as possible,” according to Trend Micro. “In a half-year span, we have seen how banking trojans have evolved their technical routines to avoid being detected, such as hiding malicious payloads in droppers. As more banking trojans are made available via DaaS, malicious actors will have an easier and more cost-effective way of distributing malware disguised as legitimate apps.”

Trend Micro forecasted that the trend would continue, with more banking trojans distributed onto general application sites like Google Play Store, as well as others.

“As the BankDropper is targeting the users, education is always beneficial to provide additional awareness to the bank customers to be skeptical of loading software for applications that do not have any reviews,” McQuiggan said. “Banks should always ensure that multi-factor authentication is enabled and use authenticator applications versus sending a code via SMS.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.