A new investigation of the Check Point Research Team found a malware dropper that has been spreading using 9 malicious apps available on the official Google Play Store.
In order to evade Google Play Store detection mechanisms, the author of the threat used a group of methods dubbed Cast82.
In detail, the dropper initially does the target evaluation and after that, it changes from a non-malicious payload to the AlienBot Banker and MRAT.
The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices, this malware generally enables a remote threat actor to inject malicious code into authorized financial apps.
Findings and Timeline
Crooks get access to the victim’s accounts and taking full control over the device and are also capable of controlling some functions.
While the timeline that has been declared by the cybersecurity researchers are given below:
- January 27th: First discovery
- January 28th: Report to Google
- February 9th: Google-authenticated that all Clast82 apps were eliminated from the Google Play Store.
The android apps affected have ~15000 installations, and the full list can be observed below:
- Cake VPN
- Two versions of eVPN
- QR/Barcode Scanner MAX
- Music Player
- Pacific VPN
The investigators found that the configuration sent from the Firebase C&C includes an “enable” parameter. However, this parameter was not true and will only turn to “true” when Google announced the Clast82 malware on Google Play.
This malware has a special ability to hide very well, as the payload abandoned by Clast82 does not start from Google Play. That’s why the scanning of applications before assent to review would not really stop the installation of the ill-disposed payload.
The analysts reported the malicious apps to Google on January 29, a day after its detection. And on February 9, Google had reinforced that the malware had been excluded from the Play Store.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.