Trend Micro researchers uncovered a malicious campaign that leveraged 17 seemingly harmless Android dropper apps, collectively tracked as DawDropper, on the Google Play Store to distribute banking malware.

The DawDropper apps are masqueraded as productivity and utility apps such as document scanners, VPN services, QR code readers, and call recorders. All these apps in question have been removed from the app marketplace.

“In the latter part of 2021, we found a malicious campaign that uses a new dropper variant that we have dubbed as DawDropper. Under the guise of several Android apps such as Just In: Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner, DawDropper uses Firebase Realtime Database, a third-party cloud service, to evade detection and dynamically obtain a payload download address.” reads the report published by Trend Micro. “It also hosts malicious payloads on GitHub. As of reporting, these malicious apps are no longer available on Google Play Store.”



DawDropper apps were spotted dropping four families of banking trojans, including Octo, Hydra, Ermac, and TeaBot. All the malware use a Firebase Realtime Database, a legitimate cloud-hosted NoSQL database for storing data, as a command-and-control (C&C) server and host malicious payloads on GitHub.

Trend Micro also found another dropper, tracked as Clast82, which was uncovered by CheckPoint Research in March 2021. Both Daw Dropper and Clast82 use Firebase Realtime Database as a C&C server.

The researchers pointed out that the banking droppers implements their own distribution and installation technique. The experts have observed the banking droppers that were launched earlier this year have hard-coded payload download addresses. Meanwhile, the banking droppers that have been recently launched are designed to hide the actual payload download address, at times use third-party services as their C&C servers, and use third-party services such as GitHub to host malicious payloads.

Below is the list of malicious DawDropper apps that were found in the Play Store:

  • Call Recorder APK (com.caduta.aisevsk)
  • Rooster VPN (com.vpntool.androidweb)
  • Super Cleaner- hyper & smart (com.j2ca.callrecorder)
  • Document Scanner – PDF Creator (com.codeword.docscann)
  • Universal Saver Pro (com.virtualapps.universalsaver)
  • Eagle photo editor (com.techmediapro.photoediting)
  • Call recorder pro+ (com.chestudio.callrecorder)
  • Extra Cleaner (com.casualplay.leadbro)
  • Crypto Utils (com.utilsmycrypto.mainer)
  • FixCleaner (com.cleaner.fixgate)
  • Just In: Video Motion (com.olivia.openpuremind)
  • com.myunique.sequencestore
  • com.flowmysequto.yamer
  • com.qaz.universalsaver
  • Lucky Cleaner (com.luckyg.cleaner)
  • Simpli Cleaner (com.scando.qukscanner)
  • Unicc QR Scanner (com.qrdscannerratedx)

Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible. In a half-year span, we have seen how banking trojans have evolved their technical routines to avoid being detected, such as hiding malicious payloads in droppers. As more banking trojans are made available via DaaS, malicious actors will have an easier and more cost-effective way of distributing malware disguised as legitimate apps.” concludes the report. “We foresee that this trend will continue and more banking trojans will be distributed on digital distribution services in the future.
-Prameet