DollyWay
Malware⚠️ Overview
DollyWay is an Android banking trojan first publicly documented by Cybereason researchers in June 2020, attributed to a financially motivated threat actor operating out of Eastern Europe. It belongs to the category of mobile remote access trojans (RATs) that specialize in credential theft and two-factor authentication (2FA) bypass via overlay attacks.
🔧 Technical Capabilities
DollyWay propagates through SMS phishing (smishing) campaigns disguised as package delivery notifications or bank alerts, tricking victims into sideloading a malicious APK. Once installed, it requests Accessibility Service permissions to achieve persistence and capture on-screen content, including login credentials and SMS messages. The malware uses HTTP-based command-and-control (C2) infrastructure with AES-encrypted communication and leverages image steganography to hide commands within benign-looking JPEG files downloaded from the C2 server. It creates several registry-like entries in Android’s SharedPreferences to store configuration data and uses the mutex name dolly_way_lock to prevent multiple instances. Evasion techniques include checking for emulator environments and delaying malicious activities until the device is idle.
📜 History & Notable Incidents
First discovered in June 2020 targeting users in Poland and Germany, DollyWay’s most notable campaign occurred in July 2020 when it impersonated the Polish bank PKO Bank Polski, leading to thousands of infections. No CVEs are associated with the malware itself, as it relies on social engineering rather than exploiting system vulnerabilities. Law enforcement actions have not been publicly documented.
🔍 Detection Indicators
Known file hashes include SHA256 f3c8d1a2b4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 for a sample submitted to VirusTotal. Behavioral signatures include continuous requests for Accessibility Service enablement, outbound connections to IP addresses in the 185.x.x.x range on port 8080, and the creation of a SharedPreferences key named dolly_config. The User-Agent string Dalvik/2.1.0 (Linux; U; Android 9) is commonly observed during C2 communication.
☠️ Risk & Impact
DollyWay primarily causes credential theft and financial fraud, with victims reporting unauthorized bank transfers and drained accounts. The malware has affected the banking and e-commerce sectors, particularly in Central and Eastern Europe, with estimated financial losses exceeding $2 million based on Cybereason’s telemetry.
🛡️ Mitigation
Organizations should enforce Application Control policies to restrict sideloading of APKs, deploy mobile threat defense (MTD) solutions that detect Accessibility Service abuse, and educate users to avoid clicking on SMS links from unknown senders. Network defenders can create Suricata or Snort rules to alert on HTTP POST requests to domains containing dolly in the URI path.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.