Google has removed 10 apps from the Play Store that contained droppers for financial Trojans.
Check Point Research (CPR) posted in a blog post that the Android apps have been submitted by the same threat actor who created new developer accounts for each app.
The dropper was loaded into innocent-looking software and each of the 10 apps were utilities, including Cake VPN, Pacific VPN, BeatPlayer, QR/Barcode Scanner MAX, and QRecorder.
The functionality of these utilities has been ripped from existing, legitimate open-source Android apps.
To avoid being detected by Google’s standard security protections, Firebase was used as a platform for command-and-control (C2) communication and GitHub was abused for payload downloads.
The researchers stated that the hidden dropper’s C2 infrastructure contains parameters — enable or disable — to ‘decide’ whether or not to trigger the app’s malicious functions. The parameter is set to “false” until Google has published the app, and then the trap springs.
The new dropper that has been dubbed as Clast82 was designed to deliver financial malware. Once triggered, second-stage payloads are pulled from GitHub including mRAT and AlienBot.
If the infected device prevents applications from unknown sources to be installed, Clast82 prompts the user with a fake request, pretending to be ‘Google Play Services’ requesting the user to allow the installation every five seconds.
mRAT is used to provide remote access to a compromised mobile device, and AlienBot facilitates the injection of malicious code into existing, legitimate financial apps. It is possible for threat actors to hijack banking apps to obtain access to user accounts and steal their financial data, and the malware will also attempt to intercept two-factor authentication (2FA) codes.
The malicious apps were reported to Google on January 29, and by February 9, Google had confirmed that the malware had been removed from the Play Store. The apps accounted for roughly 15,000 installs.
Aviran Hazum, Check Point mobile research manager stated that the attackers behind the trojan was able to bypass Google Play’s protections using a creative, but concerning, methodology. Using simple manipulation of readily available third-party resources — like a GitHub account, or a FireBase account — the hacker was able to leverage readily available resources to bypass Google Play Store’s protections.
Image Credits : Avast Blog