Dangerous Malware Dropper Found in 9 Utility Apps on Google’s Play Store

Highlights

• Check Point Research discovered a new dropper being spread via 9 malicious Android apps on the official Google Play store
• The malware family allows the attacker to obtain access to victims’ financial accounts and take full control of their mobile phone
• Google removed the apps from the Play store after being notified by Check Point Software

Our Findings

Check Point Research (CPR) recently discovered a new dropper spreading via the Google Play store. The dropper, dubbed Clast82, has the ability to avoid detection by Google Play Protect, complete the evaluation period successfully, and change the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT.

The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device. Upon taking control of a device, the attacker has the ability to control certain functions, just as if they were holding the device physically, like installing a new application on the device, or even control it with TeamViewer.

After Check Point Research reported its findings to the Android Security team, Google confirmed that all Clast82 apps were removed from the Google Play Store.

Timeline

January 27th – Initial discovery

January 28th – Report to Google

February 9^th – Google confirmed that all Clast82 apps were removed from the Google Play Store.

Bypassing detection during evaluation period

During the Clast82 evaluation period on Google Play, the configuration sent from the Firebase C&C contains an “enable” parameter. Based on the parameter’s value, the malware will “decide” to trigger the malicious behavior or not. This parameter is set to “false” and will only change to “true” after Google has published the Clast82 malware on Google Play.

The malware’s ability to remain undetected demonstrates the importance of why a mobile security solution is needed. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using 3rd party tools. As the payload dropped by Clast82 does not originate from Google Play, the scanning of applications before submission to review would not actually prevent the installation of the malicious payload. A solution that monitors the device itself, constantly scanning network connections and behaviors by application would be able to detect such behavior.

Tips to protect yourself from malicious mobile apps

Harmony Mobile (Formerly known as SandBlast Mobile) delivers complete protection for the mobile workforce by providing a wide range of capabilities that are simple to deploy, manage and scale. Harmony Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.

Droppers: