×


Home About Contribute Sponsorship Contact Sign In
×







.


Technology Industry News

Dangerous Malware Dropper Found in 10 Utility Apps on Googles Play Store


Check Point Research (CPR) discovered new malicious program, Clast82 designed to deliver other malware to victims phones in utility apps on Google Play, bypassing Play Stores protections. Malware delivered gives hacker access to victims financial accounts and control of their phones

Dangerous Malware Dropper Found in 10 Utility Apps on Googles Play Store


"The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a trojan coming straight for their financial accounts"
Aviran Hazum



  • Hacker manipulated readily available 3rd party resources – Firebase and Github -- to evade detection by Google Play Protect  
  • Second stage malware triggered by Clast82 can bypass two-factor authentication on financial accounts, and give full control over a victim’s phone, as if the hacker is holding the phone physically
  • CPR responsibly disclosed findings to Google. On Feb 9, Google confirmed that the 10 malicious applications were removed from its Play Store  

 

Check Point Research (CPR) discovered a new dropper – a malicious program designed to deliver other malware to a victim's phone – spreading on Google’s Play Store. Dubbed “Clast82” by researchers, the dropper enacts second stage malware that gave the hacker intrusive access to the financial accounts of victims, as well as full control of victims’ mobile phones. CPR found Clast82 inside 10 utility apps, spanning functions from screen recording and QR scanning to virtual private networking (VPN).

 

Clast82 drops the malware-as-a-service AlienBot Banker, a second stage malware that targets financial applications by bypassing two-factor authentication codes for financial services. Concurrently, Clast82 is equipped with a mobile remote access trojan (MRAT) capable of controlling the victim’s phone with TeamViewer, making it as if the hacker is holding a victim’s phone physically.

 

Check Point researchers outlined the attack method involving Clast82 as below:

  1. Victim downloads a malicious utility app from Google Play, containing the Clast82 dropper
  2. Clast82 communicates with C&C server to receive configuration
  3. Clast82 downloads the payload received by the configuration, and installs it on the Android device – in this case, the AlienBot Banker
  4. Hacker gains access to victim's financial credentials and proceed to control the victim’s phone entirely

 

Clast82 utilizes a series of techniques to evade detection by Google Play Protect, the security protection in the Play Store. Specifically, Clast82:

·         Uses Firebase (owned by Google) as a platform for C&C communication. During the Clast82 evaluation period on Google Play, the hacker changed the configuration on the command and control's side by using Firebase. In turn, the hacker "disabled" the malicious behavior of Clast82 during the evaluation period by Google.

·         Uses GitHub as a 3rd party hosting platform to download the payload from. For each application, the actor created a new developer user for the Google Play store, along with a repository on the actor’s GitHub account, thus allowing the actor to distribute different payloads to devices that were infected by each malicious application.

 

The 10 malicious utility applications

The hacker used legitimate and known open-source Android applications. The list of applications was:

 

Cake VPN - com.lazycoder.cakevpns

Pacific VPN - com.protectvpn.freeapp

eVPN - com.abcd.evpnfree

BeatPlayer - com.crrl.beatplayers

BeatPlayer - com.crrl.beatplayers

QR/Barcode Scanner MAX - com.bezrukd.qrcodebarcode

eVPN - com.abcd.evpnfree

Music Player - com.revosleap.samplemusicplayers

tooltipnatorlibrary - com.mistergrizzlys.docscanpro

QRecorder - com.record.callvoicerecorder

 

Aviran Hazum, manager of mobile research at Check Point said:  “The hacker behind Clast82 was able to bypass Google Play’s protections using a creative, but concerning, methodology. With a simple manipulation of readily available 3rd party resources – like a GitHub account, or a FireBase account –  the hacker was able to leverage readily available resources to bypass Google Play Store's protections.

 

“The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous trojan coming straight for their financial accounts. The dropper’s ability to remain undetected demonstrates the importance of why users should install a mobile security solution on their device. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using readily available 3rd party tools.”

 

CPR reported its findings to Google on January 28, 2021. On February 9th, 2021, Google confirmed that all Clast82 apps were removed from the Google Play Store.

 

.


NO RESULTS































































Ten Times Ten

Analytics, Modelling & Business Intelligence Specialists