"The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a trojan coming straight for their financial accounts"
Aviran Hazum
- Hacker manipulated readily available 3rd party resources – Firebase and Github -- to evade detection by Google Play Protect
- Second stage malware triggered by Clast82 can bypass two-factor authentication on financial accounts, and give full control over a victim’s phone, as if the hacker is holding the phone physically
- CPR responsibly disclosed findings to Google. On Feb 9, Google confirmed that the 10 malicious applications were removed from its Play Store
Check Point Research (CPR) discovered a new dropper – a malicious program designed to deliver other malware to a victim's phone – spreading on Google’s Play Store. Dubbed “Clast82” by researchers, the dropper enacts second stage malware that gave the hacker intrusive access to the financial accounts of victims, as well as full control of victims’ mobile phones. CPR found Clast82 inside 10 utility apps, spanning functions from screen recording and QR scanning to virtual private networking (VPN).
Clast82 drops the malware-as-a-service AlienBot Banker, a second stage malware that targets financial applications by bypassing two-factor authentication codes for financial services. Concurrently, Clast82 is equipped with a mobile remote access trojan (MRAT) capable of controlling the victim’s phone with TeamViewer, making it as if the hacker is holding a victim’s phone physically.
Check Point researchers outlined the attack method involving Clast82 as below:
- Victim downloads a malicious utility app from Google Play, containing the Clast82 dropper
- Clast82 communicates with C&C server to receive configuration
- Clast82 downloads the payload received by the configuration, and installs it on the Android device – in this case, the AlienBot Banker
- Hacker gains access to victim's financial credentials and proceed to control the victim’s phone entirely
Clast82 utilizes a series of techniques to evade detection by Google Play Protect, the security protection in the Play Store. Specifically, Clast82:
· Uses Firebase (owned by Google) as a platform for C&C communication. During the Clast82 evaluation period on Google Play, the hacker changed the configuration on the command and control's side by using Firebase. In turn, the hacker "disabled" the malicious behavior of Clast82 during the evaluation period by Google.
· Uses GitHub as a 3rd party hosting platform to download the payload from. For each application, the actor created a new developer user for the Google Play store, along with a repository on the actor’s GitHub account, thus allowing the actor to distribute different payloads to devices that were infected by each malicious application.
The 10 malicious utility applications
The hacker used legitimate and known open-source Android applications. The list of applications was:
Cake VPN - com.lazycoder.cakevpns
Pacific VPN - com.protectvpn.freeapp
eVPN - com.abcd.evpnfree
BeatPlayer - com.crrl.beatplayers
BeatPlayer - com.crrl.beatplayers
QR/Barcode Scanner MAX - com.bezrukd.qrcodebarcode
eVPN - com.abcd.evpnfree
Music Player - com.revosleap.samplemusicplayers
tooltipnatorlibrary - com.mistergrizzlys.docscanpro
QRecorder - com.record.callvoicerecorder
Aviran Hazum, manager of mobile research at Check Point said: “The hacker behind Clast82 was able to bypass Google Play’s protections using a creative, but concerning, methodology. With a simple manipulation of readily available 3rd party resources – like a GitHub account, or a FireBase account – the hacker was able to leverage readily available resources to bypass Google Play Store's protections.
“The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous trojan coming straight for their financial accounts. The dropper’s ability to remain undetected demonstrates the importance of why users should install a mobile security solution on their device. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using readily available 3rd party tools.”
CPR reported its findings to Google on January 28, 2021. On February 9th, 2021, Google confirmed that all Clast82 apps were removed from the Google Play Store.