A dropper has been discovered spreading via Google Play Store to deliver financial trojans. Dubbed Clast82, the dropper was found spreading AlienBot Banker and MRAT trojans on infected Android devices.
Making the headlines
Clast82 has been impersonating innocent-looking software and was found spoofing ten utility applications, including Cake VPN, QRecorder, Pacific VPN, QR/Barcode Scanner MAX, and BeatPlayer.
- While MRAT provides remote access to compromised devices, AlienBot is used to inject malicious code into genuine applications installed in smartphones.
- Both the banking trojans help hackers take over banking applications, steal financial data, and also intercept 2FA codes on the victims’ devices.
Tactics, Techniques, and Procedures
The operators of this campaign have used several tactics to evade detection and dupe victims into installing malicious applications.
- To bypass Google Play’s protection, the attacker simply manipulated readily available third-party resources, such as GitHub/FireBase accounts.
- The dropper's C2 infrastructure is hidden and includes parameters, such as enable or disable - to choose or decide when to trigger the application’s malicious functions as required.
- If a device prevents the installations of applications from unknown sources, it shows the user a fake request pretending to be from Google Play Services to allow the installation every five seconds.
It is quite evident that the attackers are financially motivated. This threat could prove to be fatal for users who use mobile banking for their daily operations and get duped for their hard-earned money. For such reasons, security analysts recommend having an anti-malware application installed on their devices. Meanwhile, Google confirmed removing the malware from the Play Store.