10 utility apps on the OFFICIAL portal for Android device users harbored a dangerous malware dropper that could defy Google’s defenses.
Security in the Google Play Store is really getting lackluster. Yet another series of nasty apps has been detected in the portal—this time involving a malware dropped dubbed Clast82.
10 applications were implicated:
According to Check Point Research, Clast82 has the ability to avoid detection by Google Play Protect, complete the evaluation period successfully, and change the payload dropped from a non-malicious payload to the AlienBot Banker and mobile RAT.
The AlienBot malware family is a Malware-as-a-Service product for Android devices, that allows a remote attacker to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device. Upon taking control of a device, the attacker has the ability to control certain functions, just as if they were holding the device physically, like installing a new application on the device, or even control it with TeamViewer.
Bypassing detection
During the Clast82 evaluation period on Google Play, the configuration sent from the Firebase C&C contains an ‘enable’ parameter. Based on the parameter’s value, the malware will ‘decide’ whether to trigger malicious behavior. This parameter is set to ‘false’ and will only change to ‘true’ after Google has published the Clast82 malware on Google Play.
The malware’s evasion tactics demonstrate how we cannot rely on Google to secure their play store. The onus is on users to take charge of their own mobile security.
It is not enough to just scan the app during the evaluation period, because a malicious actor can change the application’s behavior using third party tools. As the payload dropped by Clast82 did not originate from Google Play, the scanning of applications before submission to review would not actually prevent the installation of the malicious payload.
A solution that monitors the device itself, constantly scanning network connections and activities by application is better for detecting such malware techniques.
Check Point’s Manager of Mobile Research, Aviran Hazum, said: “With a simple manipulation of readily available third-party resources—like a GitHub account or a FireBase account—the hacker was able to bypass Google Play Store’s protections. The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous trojan coming straight for their financial accounts.”