Security researchers have discovered a malware dropper hidden inside 10 Google Play apps, which could have put users at risk of remote access and banking malware.
Check Point said it found the Clast82 dropper inside a variety of applications on the official marketplace, including VPNs, QR readers and music players.
Clast82 drops the malware-as-a-service AlienBot Banker, which is designed to circumvent two-factor authentication codes on banking apps to give attackers access to users’ accounts. It is also capable of loading a mobile remote access trojan (MRAT) capable of remotely controlling the victim’s phone with TeamViewer.
It’s designed to bypass Google Play Protect with two main tactics. The first is by using Google-owned Firebase for command-and-control (C&C) communications. The threat actor also disabled the dropper’s malicious behavior as it was being evaluated by Google, according to Check Point.
Second, it downloads the payload from GitHub, creating a new developer user for Google Play for each application, alongside a repository on their GitHub account. This enabled the attacker to distribute different payloads to devices infected by each malicious version of the app.
Aviran Hazum, manager of mobile research at Check Point, branded the tactics “creative, but concerning” in their apparent simplicity.
“The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous Trojan coming straight for their financial accounts,” he added.
“The dropper’s ability to remain undetected demonstrates the importance of why users should install a mobile security solution on their device. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using readily available third-party tools.”
After reporting its findings to Google on January 28 2021, Check Point saw that all Clast82 apps were removed from Google Play on February 9.