Check Point cybersecurity researchers recently discovered a malware dropper housed in malicious apps on the Google Play store, a new report said.
The helper code, which Check Point’s researchers dubbed Clast82, drops the AlientBot banker and mobile remote access trojan (RAT), enabling hackers to take control of a target’s mobile phone and access their bank accounts, the cybersecurity provider said in a blog post. Google has since removed nine Clast82-laden apps from the Play Store, Check Point said.
The AlientBot family is distributed as malware-as-a-service for sale or rent, typically offered on the dark net, in what Check Point has described as a “fully active market” selling malicious mobile malware. Check Point said it discovered Clast82 on January 27, 2021, notified Google’s Android Security team a day later and on February 9th Google removed the venomous apps.
The security specialist has observed that Clast82 can bypass detection by Google Play Protect, complete the evaluation period successfully, and change the payload dropped from non-malicious to the AlienBot Banker and RAT. The dropper allows a remote attacker to inject malicious code into legitimate financial applications.
“The malware’s ability to remain undetected demonstrates the importance of why a mobile security solution is needed,” Check Point wrote. “It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using 3rd party tools.”
There is, however, a twist. Because the payload dropped by Clast82 does not originate from Google Play, the “scanning of applications before submission to review would not actually prevent the installation of the malicious payload,” the blog said. What’s needed to detect the activity is a solution that monitors the device and repeatedly scans network connections and behaviors by application, Check Point said.
Earlier in January 2021, Check Point identified a mobile remote access Trojan targeting Android devices it dubbed Rogue. That malware uses Google’s Firebase development platform services as a command and control server and is capable of exfiltrating sensitive data, deleting local data and axing the entire OS, Check Point said.