Malicious apps on Google Play dropped banking Trojans on user devices

The utility apps contained a previously-unknown dropper for financial malware.
Written by Charlie Osborne, Contributing Writer

Google has removed 10 apps from the Play Store which contained droppers for financial Trojans. 

On Tuesday, Check Point Research (CPR) said in a blog post that the Android applications appear to have been submitted by the same threat actor who created new developer accounts for each app.

The dropper was loaded into otherwise innocent-looking software and each of the 10 apps were utilities, including Cake VPN, Pacific VPN, BeatPlayer, QR/Barcode Scanner MAX, and QRecorder. 

The utilities' functionality is ripped from existing, legitimate open source Android apps. 

In order to avoid detection by Google's standard security protections, Firebase was used as a platform for command-and-control (C2) communication and GitHub was abused for payload downloads. 

According to the researchers, the hidden dropper's C2 infrastructure contains parameters -- enable or disable -- to 'decide' whether or not to trigger the app's malicious functions. The parameter is set to "false" until Google has published the app, and then the trap springs. 

Dubbed Clast82, CPR says the newly-discovered dropper has been designed to deliver financial malware. Once triggered, second-stage payloads are pulled from GitHub including mRAT and AlienBot.

"If the infected device prevents installations of applications from unknown sources, Clast82 prompts the user with a fake request, pretending to be 'Google Play Services' requesting the user to allow the installation every five seconds," the team says. 

MRAT is used to provide remote access to a compromised mobile device, whereas AlienBot facilitates the injection of malicious code into existing, legitimate financial apps. Attackers can hijack banking apps to obtain access to user accounts and steal their financial data, and the malware will also attempt to intercept two-factor authentication (2FA) codes. 

The researchers reported the malicious apps to Google on January 29, a day after discovery. By February 9, Google had confirmed that the malware had been removed from the Play Store. The apps accounted for roughly 15,000 installs.

 "The hacker behind Clast82 was able to bypass Google Play's protections using a creative, but concerning, methodology," commented Aviran Hazum, Check Point mobile research manager. "With a simple manipulation of readily available third-party resources -- like a GitHub account, or a FireBase account -- the hacker was able to leverage readily available resources to bypass Google Play Store's protections."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards