Security News > 2021 > March > 9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware
Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices.
"This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT," Check Point researchers Aviran Hazum, Bohdan Melnykov, and Israel Wernik said in a write-up published today.
After the findings were reported to Google on January 28, the rogue apps were removed from the Play Store on February 9.
Equally popular are other methods like versioning, which refers to uploading a clean version of the app to the Play Store to build trust among users and then sneakily adding unwanted code at a later stage via app updates, and incorporating time-based delays to trigger the malicious functionality in an attempt to evade detection by Google.
In the event the option to install apps from unknown sources has been turned off, Clast82 repeatedly urges the user every five seconds with a fake "Google Play Services" prompt to enable the permission, ultimately using it to install AlienBot, an Android banking MaaS capable of stealing credentials and two-factor authentication codes from financial apps.
"With a simple manipulation of readily available 3rd party resources - like a GitHub account, or a FireBase account - the hacker was able to leverage readily available resources to bypass Google Play Store's protections. The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous trojan coming straight for their financial accounts."
News URL
Related news
- Germany sinkholes BadBox malware pre-loaded on Android devices (source)
- Germany blocks BadBox malware loaded on 30,000 Android devices (source)
- Android malware found on Amazon Appstore disguised as health app (source)
- BadBox malware botnet infects 192,000 Android devices despite disruption (source)
- New FireScam Android malware poses as RuStore app to steal data (source)
- New FireScam Android data-theft malware poses as Telegram Premium app (source)
- FireScam Android Malware Poses as Telegram Premium to Steal Data and Control Devices (source)
- DoNot Team Linked to New Tanzeem Android Malware Targeting Intelligence Collection (source)
- Fake Homebrew Google ads target Mac users with malware (source)
- Google blocked 2.36 million risky Android apps from Play Store in 2024 (source)