The research team of cybersecurity specialists CheckPoint found malware on eight applications that were on Google Play Store.
These apps were designed to let the attacker obtain access to the victim’s financial accounts and take full control over their phone. The applications are mostly VPNs, QR Readers, and music players.
The malware is known as Clast82 and it is strong enough to avoid the detection by Google Play Protect.
The dropper’s malicious behavior can be deactivated during the evaluation before being changed to drop from a malicious payload – the AlienBot Banker and mobile remove access trojan, using GitHub as a third-party hosting platform.
AlienBot is malware designed for Android devices. Once you download any application from the Play Store that’s containing this malware, it allows criminals to inject malicious code into legitimate financial applications. It can bypass even two-factor authentication codes on banking apps.
“The victims thought they were downloading an innocuous utility app from the official Android Market, but they were really getting was a dangerous Trojan coming straight for their financial accounts,” said Check Point manager of mobile research Aviran Hazum.
According to the Check Point, all these apps were created by the same actor.
The malicious apps were Cake VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder.
These apps were discovered in late January then Check Point alerted Google. And the malicious apps were successfully removed from the Play Store by Google on February 9.