Just yesterday Hackread.com reported on a dangerous Android malware called Flubot that has already infected more than 60,000 devices and aims at stealing the banking data of its victims.
Now, researchers have identified ten apps that were infected with not one but two nasty pieces of Android banking trojan on the Google Play Store.
Google Play Store apps had banking trojans
Israel-based Check Point Research team reported that several applications on Google Play Store were capable of hijacking smartphones and stealing money from users’ online bank accounts because these contained the AlienBot Banker and MRAT droppers for banking trojans.
According to Check Point’s analysis, the same threat actor has submitted these Android applications by creating a new developer account for each of these apps. The dropper, dubbed Clast82, uses several techniques to avoid detection by Google Play Protect, complete the evaluation period and change a non-malicious payload to MRAT and the AlienBot.
Google removed 10 apps from Play Store
Check Point informed Google about the malicious applications on 28 January. It was confirmed by Google on 9 February and quickly removed all of them from Google Play.
The financial trojan dropper was found in harmless-looking applications. All the ten applications were essentially utility apps, including Pacific VPN, Cake CPN, BeatPlayer, QRecorder, QR/Barcode Scanner Max, etc.
These applications were uploaded on Google Play Store after undergoing Google’s malicious-app screening process. The system couldn’t detect that these apps were infected with banking trojans because these communicated only with Google-native Firebase cloud back-end servers, which many smartphone apps generally use.
How the Attack Works?
After a user installed one of the ten malicious apps, they start communicating with Microsoft-owned code-sharing platform, GitHub. Each application contained a hidden dropper that can fetch other malicious software. The dropper downloads the AlienBot banking trojan from GitHub pages dedicated to each application. Check Point researcher Aviran Hazum wrote that:
“The victims thought they were downloading an innocuous utility app from the official Android Market, but what they were really getting was a dangerous Trojan coming straight for their financial accounts.”
If the infected device prevented the installation of apps from unknown sources, Clast82 sent a fake request from Google Play Services every five seconds asking the user to allow the installation, researchers revealed.
What are MRAT and AlienBot?
AlienBot is a Malware-as-a-Service for Android devices that lets a remote hacker inject malicious code on legit financial apps to let the attacker access and control the victim’s accounts and mobile device.
Even worse is that it can install the Android TeamViewer version to control a computer or smartphone from afar and log into the victim’s bank account at any time. MRAT provides remote access to a compromised mobile device.
How to protect yourself from Android malware
When malware is on Google Play Store one can’t really blame unsuspecting users who trust Google to have scanned each and every app before allowing it on a marketplace that has billions of users. However, one thing that can be done is refraining yourself from downloading unnecessary apps.
Nevertheless, use a reliable anti-malware solution, scan your device regularly and keep it updated as well. You can also subscribe to Hackread.com to keep yourself updated on the latest in the cybersecurity industry.