Android users hit by banking trojan in 10 Play Store apps

Another day, another Android banking trojan caught targeting unsuspecting users but this time it does it from Play Store without any prevention.


Just yesterday reported on a dangerous Android malware called Flubot that has already infected more than 60,000 devices and aims at stealing the banking data of its victims.

Now, researchers have identified ten apps that were infected with not one but two nasty pieces of Android banking trojan on the Google Play Store.

Google Play Store apps had banking trojans

Israel-based Check Point Research team reported that several applications on Google Play Store were capable of hijacking smartphones and stealing money from users’ online bank accounts because these contained the AlienBot Banker and MRAT droppers for banking trojans.

According to Check Point’s analysis, the same threat actor has submitted these Android applications by creating a new developer account for each of these apps. The dropper, dubbed Clast82, uses several techniques to avoid detection by Google Play Protect, complete the evaluation period and change a non-malicious payload to MRAT and the AlienBot.

Google removed 10 apps from Play Store

Check Point informed Google about the malicious applications on 28 January. It was confirmed by Google on 9 February and quickly removed all of them from Google Play.


The financial trojan dropper was found in harmless-looking applications. All the ten applications were essentially utility apps, including Pacific VPN, Cake CPN, BeatPlayer, QRecorder, QR/Barcode Scanner Max, etc.

3 such apps on the Play Store outlined by Checkpoint researchers

These applications were uploaded on Google Play Store after undergoing Google’s malicious-app screening process. The system couldn’t detect that these apps were infected with banking trojans because these communicated only with Google-native Firebase cloud back-end servers, which many smartphone apps generally use.

How the Attack Works?

After a user installed one of the ten malicious apps, they start communicating with Microsoft-owned code-sharing platform, GitHub. Each application contained a hidden dropper that can fetch other malicious software. The dropper downloads the AlienBot banking trojan from GitHub pages dedicated to each application. Check Point researcher Aviran Hazum wrote that:

“The victims thought they were downloading an innocuous utility app from the official Android Market, but what they were really getting was a dangerous Trojan coming straight for their financial accounts.”


If the infected device prevented the installation of apps from unknown sources, Clast82 sent a fake request from Google Play Services every five seconds asking the user to allow the installation, researchers revealed.

What are MRAT and AlienBot?

AlienBot is a Malware-as-a-Service for Android devices that lets a remote hacker inject malicious code on legit financial apps to let the attacker access and control the victim’s accounts and mobile device.

Even worse is that it can install the Android TeamViewer version to control a computer or smartphone from afar and log into the victim’s bank account at any time. MRAT provides remote access to a compromised mobile device.

How to protect yourself from Android malware

When malware is on Google Play Store one can’t really blame unsuspecting users who trust Google to have scanned each and every app before allowing it on a marketplace that has billions of users. However, one thing that can be done is refraining yourself from downloading unnecessary apps.

Nevertheless, use a reliable anti-malware solution, scan your device regularly and keep it updated as well. You can also subscribe to to keep yourself updated on the latest in the cybersecurity industry.


Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

1 comment
  1. Google should be more aware of the security they’re displaying in their store. We as users should trust developers to have our devices safe. Thanks for sharing this info.

Comments are closed.

Related Posts