A malware dropper that paves the way for attackers to remotely steal data from Android phones has been spreading via nine malicious apps on the official Google Play store, according to researchers.
The malware is part of a campaign aimed at lifting victims’ financial information, but which also allows eventual takeover of mobile phones, according to Check Point Research.
The dropper, dubbed Clast82, was disguised in benign apps, which don’t fetch a malicious payload until they have been vetted and cleared by Google Play Protect. Google Play Protect is the store’s evaluation mechanism, meant to weed out apps with ill intent and malicious functions.
“During the Clast82 evaluation period on Google Play, the configuration sent from the [Google] Firebase [command-and-control server] contains an ‘enable’ parameter,” according to Check Point’s research, released on Tuesday. “Based on the parameter’s value, the malware will decide to trigger the malicious behavior or not. This parameter is set to ‘false’ and will only change to ‘true’ after Google has published the Clast82 malware on Google Play.”
Once ensconced in the App Store, Clast82 fetches the AlienBot banking trojan, or in some cases MRAT, the investigation found.
Info-stealers AlienBot and MRAT
AlienBot is available in a malware-as-a-service (MaaS) model, and it allows a remote attacker to inject malicious code into legitimate financial applications, Check Point noted.
“The attacker obtains access to victims’ accounts, and eventually completely controls their device,” according to the firm’s analysis. “Upon taking control of a device, the attacker has the ability to control certain functions, just as if they were holding the device physically, like installing a new application on the device, or even control it with TeamViewer.”
MRAT meanwhile has been around since at least 2014, when it was used against Hong Kong protestors. It was created for reconnaissance and information-gathering, and sports all of the typical spyware features, plus detection evasion, specific checks for antivirus, app and file deletion functionality, and more.
The payloads were both hosted in GitHub. AlienBot was by far the most common to be delivered to victims.
“In the case of Clast82, we were able to identify over 100 unique payloads of the AlienBot, an Android MaaS banker targeting financial applications and attempting to steal the credentials and [two-factor authentication] 2FA codes for those applications,” researchers noted.
GitHub Projects Tied to Malicious Android Apps
Check Point’s analysis found that for each application, the actor created a new developer user for the Google Play store, along with a corresponding code repository in GitHub.
“The actor used legitimate and known open-sourced Android applications, which the actor added the malicious code into in order to provide functionality to the malicious dropper, along with the reason for the victim to download and install it from the official Google Play store,” the researchers explained.
For instance, the malicious Cake VPN application is based on a legitimate GitHub repository.
Across all of the fake developer accounts on Google Play, there was a single email address listed for contact information: sbarkas77590ATgmail.com. Also, each application writeup up used the same Policy page, which in turn linked to the same GitHub repository. Clearly, all of the apps were the work of a single author.
Clast82 Malware Infection Flow
Typically, one activity in any given Android app is specified as the “main” activity (MainActivity.java), which is presented to the user when the app is launched. In this case, when a user launches a Clast82 app, MainActivity starts a foreground service to perform the malicious dropping task, Check Point found.
This service is straightforwardly called “LoaderService.”
“Once a user downloads one of the fake apps and launches it, it starts a service from MainActivity that starts a dropping flow called LoaderService,” researchers explained. “The foreground service registers a listener for the Firebase real-time database, from which it receives the payload path from GitHub.”
Android developer rules specify that when an application creates a foreground service like this, it must show an ongoing notification to the user about what the app is doing.
“Clast82 bypassed this by showing a ‘neutral’ notification,” according to Check Point. “In the case of…the Cake VPN app, the notification shown is ‘GooglePlayServices’ with no additional text.”
Meanwhile the app waits for a command from the Firebase C2. Once it’s told to start the “loadAndInstallApp” function, this downloads the payload from GitHub. Then, it calls the “installApp” method to finalize the malicious activity.
If the infected device prevents installations of applications from unknown sources, Clast82 prompts the user with a fake request, pretending to be “Google Play Services.” These fake requests will pop up every five seconds.
Infected Clast 82 Applications for Android
After Check Point Research reported its findings to the Android Security team, Google confirmed that all Clast82 apps were removed from the Google Play Store. However, victims with the apps already installed remain at risk. The affected apps are as follows:
- BeatPlayer
- Cake VPN
- Two versions of eVPN
- Music Player
- Pacific VPN
- QR/Barcode Scanner MAX
- QRecorder
- tooltipnattorlibrary
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)