News
Dangerous Malware Dropper Found in 10 Utility Apps on Google’s Play Store
March 2021 by Check Point
Check Point Research discovered a new dropper – a malicious program designed to deliver other malware to a victim’s phone – spreading on Google’s Play Store. Dubbed “Clast82” by researchers, the dropper enacts second stage malware that gave the hacker intrusive access to the financial accounts of victims, as well as full control of victims’ mobile phones. CPR found Clast82 inside 10 utility apps, spanning functions from screen recording and QR scanning to virtual private networking (VPN).
Clast82 drops the malware-as-a-service AlienBot Banker, a second stage malware that targets financial applications by bypassing two-factor authentication codes for financial services. Concurrently, Clast82 is equipped with a mobile remote access trojan (MRAT) capable of controlling the victim’s phone with TeamViewer, making it as if the hacker is holding a victim’s phone physically.
Check Point researchers outlined the attack method involving Clast82 as below:
1. Victim downloads a malicious utility app from Google Play, containing the Clast82 dropper
2. Clast82 communicates with C&C server to receive configuration
3. Clast82 downloads the payload received by the configuration, and installs it on the Android device – in this case, the AlienBot Banker
4. Hacker gains access to victim’s financial credentials and proceed to control the victim’s phone entirely
Clast82 utilizes a series of techniques to evade detection by Google Play Protect, the security protection in the Play Store. Specifically, Clast82:
• Uses Firebase (owned by Google) as a platform for C&C communication. During the Clast82 evaluation period on Google Play, the hacker changed the configuration on the command and control’s side by using Firebase. In turn, the hacker "disabled" the malicious behavior of Clast82 during the evaluation period by Google.
• Uses GitHub as a 3rd party hosting platform to download the payload from. For each application, the actor created a new developer user for the Google Play store, along with a repository on the actor’s GitHub account, thus allowing the actor to distribute different payloads to devices that were infected by each malicious application.
The 10 malicious utility applications
The hacker used legitimate and known open-source Android applications. The list of applications was:
Name Package_name
Cake VPN com.lazycoder.cakevpns
Pacific VPN com.protectvpn.freeapp
eVPN com.abcd.evpnfree
BeatPlayer com.crrl.beatplayers
BeatPlayer com.crrl.beatplayers
QR/Barcode Scanner MAX com.bezrukd.qrcodebarcode
eVPN com.abcd.evpnfree
Music Player com.revosleap.samplemusicplayers
tooltipnatorlibrary com.mistergrizzlys.docscanpro
QRecorder com.record.callvoicerecorder
Aviran Hazum, manager of mobile research at Check Point said: “The hacker behind Clast82 was able to bypass Google Play’s protections using a creative, but concerning, methodology. With a simple manipulation of readily available 3rd party resources – like a GitHub account, or a FireBase account – the hacker was able to leverage readily available resources to bypass Google Play Store’s protections.
“The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous trojan coming straight for their financial accounts. The dropper’s ability to remain undetected demonstrates the importance of why users should install a mobile security solution on their device. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using readily available 3rd party tools.”
CPR reported its findings to Google on January 28, 2021. On February 9th, 2021, Google confirmed that all Clast82 apps were removed from the Google Play Store.
