In a blog post on Tuesday, Check Point Research (CPR) describe a previously-unknown dropper they dubbed Clast82 that distributed financial Trojans to multiple malicious and legitimate apps on the Play Store.
Google has already removed the malicious apps from the store. The 10 Android utility apps contained droppers for financial malware, AlienBot Banker And MRAT. They appeared to have been submitted by the same threat actor, but created new developer accounts for each app, the researchers say in the report.
The email of the developer on the Play Store was email@example.com and the “Offered by” field contained names that clearly indicate nationals from the Post-Soviet nations: Rustam Mamaliev and Ivan Kiselev.
The utilities infected with the Clast82 dropper included Cake VPN, Pacific VPN, BeatPlayer, QR/Barcode Scanner MAX, and QRecorder.
The utilities were based on benign open-source Android apps. To avoid detection by Google’s security checks, the cybercriminals used Firebase as a platform for command-and-control (C2) communication and GitHub for downloading payloads.
According to the researchers, the hidden dropper’ was in an inactive state until Google has published the app, and then the bad actor woke it up.
Dubbed Clast82 by CPR, the dropper has been specifically designed to deliver financial malware. Upon deployment, it unleashes mRAT and AlienBot in payloads hosted on GitHub.
To circumvent the Android restrictions on the installation of applications from unknown sources, Clast82 mimics “Google Play Services” and prompts the user to allow the installation every five seconds, the CPR explained.
Once delivered, MRAT provides the hackers with remote access to a compromised mobile device. And AlienBot is used to inject malicious code into legitimate financial apps installed on the compromised device. In this way, attackers obtain access to user accounts and steal their financial data. The malware is also capable of intercepting two-factor authentication (2FA) codes.
The researchers reported the malicious apps to Google and the tech giant confirmed the malware had been removed from the Play Store, but the fake apps have been installed roughly 15,000 times.
Aviran Hazum, Check Point mobile research manager, called the method the hacker behind Clast82 used to bypass Google Play’s protections “creative, but concerning.” “With a simple manipulation of readily available third-party resources — like a GitHub account, or a FireBase account — the hacker was able to leverage readily available resources to bypass Google Play Store’s protections,” Hazum wrote.
Image: Check Point Research