More than a dozen Trojans have again been found on Google Play. Hackers use Firebase and GitHub services to stay under the radar and get their way.
We can say that pirates still have quite a nerve. Security researchers from TrendMicro have found seventeen corrupt applications on Google Play whose mode of operation is based on services offered by… Google and Microsoft.
At first glance, these apps seem completely legitimate and harmless. They usually offer utility functions, such as scanning documents, editing photos, recording phone calls or cleaning the system. Below, in image form, is a list of such fake apps. They have since been removed from Google Play, but if you have one installed, it should be removed immediately.
In reality, these applications host within them a “dropper”, that is to say a malicious code whose role is to download another malicious code, often more functional. Called “DawDropper”, it was programmed to be able to drop up to four different types of banking Trojans on Android devices, namely Octo, Hydra, Ermac and TeaBot.
What’s remarkable is that this dropper uses the “Firebase Realtime Database” service as a command and control (C&C) server. In particular, it is through this service that hackers communicate the Trojan download URL.
Firebase is a popular tool for app developers because it makes it easy to implement real-time features like alerts and notifications. Using this service therefore allows hackers to be drowned in the mass and, thus, “bypass detection” on Google Play, as the researchers point out. This technique is all the more incredible since Firebase is operated by Google itself. Obviously, the computer giant has a lot of trouble detecting malicious flows in this kind of exchange.
In view of everyone
For the hosting of the Trojan horses, the hackers chose the services of another high-tech giant, in this case Microsoft. Indeed, the malicious codes are on the GitHub site, a participatory development tool well known to Internet users and which the Redmond firm bought in 2018. The hacker codes are publicly accessible, in full view of everyone.
Again, this misuse obviously did not trigger an alarm. It’s a shame, because the Trojans deployed by hackers are particularly harmful. Octo, for example, is constantly collecting and transmitting sensitive data to hackers. It is also able to record the screen to capture possible connection codes, or to deactivate Google Protect, the anti-virus integrated by default in Android.
To avoid being taken in by these attacks, the researchers recommend never blindly downloading mobile applications, but always carrying out a few checks: who is the author? Is he known? What are the opinions of other users? Etc.