DawDropper Mobile Malware

DawDropper is a threat used by cybercriminals in the initial stages of a malware infection. More specifically, DawDropper is a malware tasked with the delivery of next-stage payloads onto an already breached device. The threat targets Android devices and has been observed to mostly fetch and execute banking Trojans including Ermac 2.0, Octo, Hydra and TeaBot. 

The DawDropper threat is being offered for sale to cybercriminals in a MaaS (Malware-as-a-Service) scheme. The developers of the threat will allow their clients to utilize DawDropper for a limited period, depending on the paid fee, and usually, payment is required every month. In turn, the cybercriminals have managed to sneak the threat onto the official Google Play Store under the guise of over a dozen weaponized applications. 

The corrupted applications were spread into several popular categories, such as system cleaners, video editors, image editors, mobile games and more. Some examples of applications spreading DawDropper include Call Recorder, Crypto Utils, Eagle photo editor, FixCleaner, Lucky Cleaner, Rooster VPN, Super Cleaner, Universal Saver Pro, Unicc QR Scanners, etc. It should be noted that Google has removed all applications associated with DawDropper from its store, but users who have one of the applications present on their Android devices will have to manually uninstall it.

The attackers behind the DawDropper campaign exploited a legitimate third-party cloud service named Firebase Realtime Database to establish the Command-and-Control server of the operation. The same service also was used for data storage. The threatening payloads delivered via DawDropper were hosted on GitHub.