×


Home About Contribute Media Kit Contact Sign In
×







.


Technology Industry News

Dangerous Malware Dropper Found in 10 Utility Apps on Googles Play Store


Check Point Research (CPR) discovered new malicious program, Clast82 designed to deliver other malware to victims phones in utility apps on Google Play, bypassing Play Stores protections. Malware delivered gives hacker access to victims financial accounts and control of their phones

Dangerous Malware Dropper Found in 10 Utility Apps on Googles Play Store


"The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a trojan coming straight for their financial accounts"
Aviran Hazum



  • Hacker manipulated readily available 3rd party resources – Firebase and Github -- to evade detection by Google Play Protect  
  • Second stage malware triggered by Clast82 can bypass two-factor authentication on financial accounts, and give full control over a victim’s phone, as if the hacker is holding the phone physically
  • CPR responsibly disclosed findings to Google. On Feb 9, Google confirmed that the 10 malicious applications were removed from its Play Store  

 

Check Point Research (CPR) discovered a new dropper – a malicious program designed to deliver other malware to a victim's phone – spreading on Google’s Play Store. Dubbed “Clast82” by researchers, the dropper enacts second stage malware that gave the hacker intrusive access to the financial accounts of victims, as well as full control of victims’ mobile phones. CPR found Clast82 inside 10 utility apps, spanning functions from screen recording and QR scanning to virtual private networking (VPN).

 

Clast82 drops the malware-as-a-service AlienBot Banker, a second stage malware that targets financial applications by bypassing two-factor authentication codes for financial services. Concurrently, Clast82 is equipped with a mobile remote access trojan (MRAT) capable of controlling the victim’s phone with TeamViewer, making it as if the hacker is holding a victim’s phone physically.

 

Check Point researchers outlined the attack method involving Clast82 as below:

  1. Victim downloads a malicious utility app from Google Play, containing the Clast82 dropper
  2. Clast82 communicates with C&C server to receive configuration
  3. Clast82 downloads the payload received by the configuration, and installs it on the Android device – in this case, the AlienBot Banker
  4. Hacker gains access to victim's financial credentials and proceed to control the victim’s phone entirely

 

Clast82 utilizes a series of techniques to evade detection by Google Play Protect, the security protection in the Play Store. Specifically, Clast82:

·         Uses Firebase (owned by Google) as a platform for C&C communication. During the Clast82 evaluation period on Google Play, the hacker changed the configuration on the command and control's side by using Firebase. In turn, the hacker "disabled" the malicious behavior of Clast82 during the evaluation period by Google.

·         Uses GitHub as a 3rd party hosting platform to download the payload from. For each application, the actor created a new developer user for the Google Play store, along with a repository on the actor’s GitHub account, thus allowing the actor to distribute different payloads to devices that were infected by each malicious application.

 

The 10 malicious utility applications

The hacker used legitimate and known open-source Android applications. The list of applications was:

 

Cake VPN - com.lazycoder.cakevpns

Pacific VPN - com.protectvpn.freeapp

eVPN - com.abcd.evpnfree

BeatPlayer - com.crrl.beatplayers

BeatPlayer - com.crrl.beatplayers

QR/Barcode Scanner MAX - com.bezrukd.qrcodebarcode

eVPN - com.abcd.evpnfree

Music Player - com.revosleap.samplemusicplayers

tooltipnatorlibrary - com.mistergrizzlys.docscanpro

QRecorder - com.record.callvoicerecorder

 

Aviran Hazum, manager of mobile research at Check Point said:  “The hacker behind Clast82 was able to bypass Google Play’s protections using a creative, but concerning, methodology. With a simple manipulation of readily available 3rd party resources – like a GitHub account, or a FireBase account –  the hacker was able to leverage readily available resources to bypass Google Play Store's protections.

 

“The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous trojan coming straight for their financial accounts. The dropper’s ability to remain undetected demonstrates the importance of why users should install a mobile security solution on their device. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using readily available 3rd party tools.”

 

CPR reported its findings to Google on January 28, 2021. On February 9th, 2021, Google confirmed that all Clast82 apps were removed from the Google Play Store.

 

.


Technology Business News - LOS ANGELES 23rd March 2021 - Cloud security innovation leader, Orca Security, has today announced a successful 210 million Series C funding round.


Orca Security announce $210m Series C round led by CapitalG and Redpoint Ventures

Technology Business News - As the finance industry increasingly adopts digital onboarding technologies, they are utilizing and storing more of our biometric data and personal identification information.


Regulation needed to ensure Finance Industry use compliant Digital Identity technologies

Technology Business News - If you don t work in the Finance industry, you naturally aren t too concerned with financial services industry regulations. Yet some regulations don t just affect the people who work in the finance industry they affect everyone.


Global Finance Industry faces further regulation after pandemic exposes weaknesses

Technology Business News - North Shields based Harriet Ghost and Micky McGregor run Blowin a Hooley Theatre and have previously toured Tom Hadaway s classic play The Filleting Machine to pubs, working man s clubs, community centers, heritage venues and theatres across Tyneside.


360 Degree Film Comes Full Circle for Theatre Company

Technology Business News - Innovation hub HOST, the Home of Skills amp Technology, has strengthened its team with the appointment of a new director of innovation for cyber, data science and AI.


HOST appoints Director of Innovation to lead on Cyber, Data Science and AI

Technology Business News - Manchester-based technology growth firm Yobah has added to its team with the appointment of Strategic Sales specialist Gladwin Thomas.


FinTech growth specialists Yobah strengthen team with new appointment






Ten Times Ten

We transform your bright ideas into brilliant digital products.