How spoofed Android apps rely on Google and Microsoft to hack you

More than a dozen Trojans have again been found on Google Play. Hackers use Firebase and GitHub services to stay under the radar and get their way.

We can say that pirates still have quite a nerve. TrendMicro security researchers found seventeen corrupt apps on Google Play whose mode of operation is based on services offered by… Google and Microsoft.

At first glance, these apps seem completely legitimate and harmless. They usually offer utility functions, such as scanning documents, editing photos, recording phone calls or cleaning the system. Below, in image form, is a list of such fake apps. They have since been removed from Google Play, but if you have one installed, it should be removed immediately.

Trend Micro / Banking Trojans

In reality, these applications host within them a “dropper”, that is to say a malicious code whose role is to download another malicious code, often more functional. Called “DawDropper”, it was programmed to be able to drop up to four different types of banking Trojans on Android devices, namely Octo, Hydra, Ermac and TeaBot.

What’s remarkable is that this dropper uses the “Firebase Realtime Database” service as a command and control (C&C) server. In particular, it is through this service that hackers communicate the Trojan download URL.

Firebase is a popular tool for app developers because it makes it easy to implement real-time features like alerts and notifications. Using this service therefore allows hackers to be drowned in the mass and, thus, “bypass detection” on Google Play, as the researchers point out. This technique is all the more incredible since Firebase is operated by Google itself. Obviously, the computer giant has a lot of trouble detecting malicious flows in this kind of exchange.

In view of everyone

For the hosting of the Trojan horses, the hackers chose the services of another high-tech giant, in this case Microsoft. Indeed, the malicious codes are on the GitHub site, a participatory development tool well known to Internet users and which the Redmond firm bought in 2018. The hacker codes are publicly accessible, in full view of everyone.

Again, this misuse obviously did not trigger an alarm. It’s a shame, because the Trojans deployed by hackers are particularly harmful. Octo, for example, is constantly collecting and transmitting sensitive data to hackers. It is also able to record the screen to capture possible connection codes, or to deactivate Google Protect, the anti-virus integrated by default in Android.

To avoid being taken in by these attacks, the researchers recommend never blindly downloading mobile applications, but always carrying out a few checks: who is the author? Is he known? What are the opinions of other users? Etc.

Source :

Trend Micro

We wish to thank the author of this short article for this awesome web content

How spoofed Android apps rely on Google and Microsoft to hack you

Discover our social media profiles as well as other related pages