



Google has removed 10 apps from the Play Store, including a financial Trojan dropper.

On Tuesday, Check Point Research (CPR) said in a blog post that Android applications appear to have been sent by the same threat actors who created new developer accounts for each app.

The dropper was loaded into software that looked otherwise innocent, and the 10 apps were utilities such as Cake VPN, Pacific VPN, BeatPlayer, QR / Barcode Scanner MAX, and QRecorder, respectively.

The functionality of the utility has been pulled from an existing legitimate open source Android app.

To circumvent Google’s standard security protection, Firebase was used as a platform for command-and-control (C2) communications, and GitHub was exploited to download payloads.

According to researchers, the hidden dropper’s C2 infrastructure contains parameters (enabled or disabled) to “decide” whether to trigger malicious functionality in the app. The parameter will be set to “false” until Google publishes the app, after which a trap will occur.

A CPR called Clast82 states that newly discovered droppers are designed to deliver financial malware. When triggered, the second stage payload is retrieved from GitHub, which includes mRAT and AlienBot.

“If an infected device prevents an application from being installed from an unknown source, Clast82 will ask the user for a fake request, pretending to be a” Google Play service “and allowing the user to install it every 5 seconds. I will, “says the team.

MRAT is used to provide remote access to compromised mobile devices, while AlienBot facilitates the insertion of malicious code into existing legitimate financial apps. An attacker could hijack a bank app to gain access to a user account and steal financial data. The malware also attempts to intercept the two-factor authentication (2FA) code.

Researchers reported a malicious app to Google on January 29, the day after the discovery. By February 9, Google confirmed that the malware had been removed from the Play Store. The app accounted for about 15,000 installations.

“The hackers behind Clast82 were able to use creatives to circumvent the protection of Google Play, but are concerned about the methodology,” said Aviran Hazum, Check Point Mobile Research Manager. .. “By simply manipulating out-of-the-box third-party resources, such as GitHub and FireBase accounts, hackers were able to take advantage of out-of-the-box resources and circumvent the protection of the Google Play store.”

