Android from Google is a versatile operating system, flexible and powerful. But despite the many improvements and enhancements, it still harbors some serious issues.
And the most common issues involving the popular operating system, is dangerous apps making their way to Google Play Store, waiting to be downloaded by unsuspecting users. This time, researchers at Check Point Research said that they've found eight dangerous apps in the Google Play Store that have a malware dropper, called 'Clast82.'
In their report, the cyber threat intelligence firm said that the apps have a malware dropper that was able to avoid being caught by Google Play Protect.
What makes it scary is that, the apps could also drain bank accounts.
And if that isn't scary enough, the eight apps with the malware dropper also include a Remote Access Trojan (RAT) capable of taking “full control over a victim’s phone — making it as if the hacker is holding the phone physically.”
According to the Check Point findings, the dropper seems to prefer the AlienBot Malware-as-a-Service (MaaS), which allows hackers to remotely inject malicious code into legitimate financial applications on Android devices.
As explained by the researchers on their Check Point's blog post:
“Upon taking control of a device, the attacker has the ability to control certain functions, just as if they were holding the device physically, like installing a new application on the device, or even control it with TeamViewer.”
The eight apps in question, along with their package names, are as follows, according to Check Point Research:
- Cake VPN (com.lazycoder.cakevpns).
- Pacific VPN (com.protectvpn.freeapp).
- eVPN (com.abcd.evpnfree).
- BeatPlayer (com.crrl.beatplayers).
- QR/Barcode Scanner MAX (com.bezrukd.qrcodebarcode).
- Music Player (com.revosleap.samplemusicplayers).
- tooltipnatorlibrary (com.mistergrizzlys.docscanpro).
- QRecorder (com.record.callvoicerecorder).
The apps were able to pass Google Play's evaluation period, by setting the parameter which contains the malicious trigger to 'false'. According to the researchers, the malware will only “decide” to trigger the malicious behavior or not based on this parameter.
This parameter only changes to 'true' after Google has published the Clast82 malware on Google Play.
"The malware’s ability to remain undetected demonstrates the importance of why a mobile security solution is needed. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using 3rd party tools," Check Point wrote.
"As the payload dropped by Clast82 does not originate from Google Play, the scanning of applications before submission to review would not actually prevent the installation of the malicious payload. A solution that monitors the device itself, constantly scanning network connections and behaviors by application would be able to detect such behavior."
The team at the cybersecurity firm found these apps back on January 27, and has notified Google about them the next day.
In February, Google confirmed that it had removed the reported apps from the Play Store.
While the apps are longer available for download, users who have downloaded the apps have to remove them manually from their devices themselves.
This is yet another incident that should remind people to always double-check apps before installing them. Android users should always check the developers behind the apps they want to download, and always use apps that are needed, and from known developers.