A malicious campaign has been spotted using Android dropper apps on the Play Store. The apps, collectively named DawDropper, seem to be legitimate yet malicious and deliver banking malware on the device.

About the DawDropper campaign

Trend Micro spotted 17 apps laden with a new dropper variant called DawDropper.
  • These apps masqueraded as utility and productivity apps, including VPN services, QR code readers, call recorders, and document scanners.
  • With the pretense of general utility apps, dropper apps bypass Play Store security checks.
  • Besides DawDropper, these apps are used to download more capable and intrusive malware on a device, such as Octo (Coper), Hydra, Ermac, and TeaBot.

Among the dropper apps, one app named ‘Unicc QR Scanner,’ was previously spotted in July as spreading the Coper banking trojan, which is a variant of the Exobot mobile malware.

Abuse of third-party services

DawDropper abuses several third-party cloud services to stay undetected.
  • The Firebase Realtime Database is used as a C2 server, from where the dropper dynamically receives a payload download address.
  • At the same time, the dropper apps use third-party services, such as GitHub, for hosting malicious payloads.
  • The attack chain involves DawDropper establishing connections with the C2 server to obtain the GitHub URL.

In March 2021, CheckPoint researchers observed another dropper named Clast82, which uses the Firebase Realtime Database as a C2 server.


Cybercriminals are always looking for new ways to stay undetected and target as many devices.
Device users are always suggested to stay alert while installing apps even from Play Store.
Cyware Publisher