In the Google Play Store, a Trojan targeting victims’ financial accounts

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email
Share on whatsapp

Researchers at Check Point Software Technologies, who immediately reported the discovery to Google (which removed 9 apps), identified the Clast82 dropper.

It’s called an eyedropper, and it’s a program designed to spread malware to a victim’s phone. To find it within 9 utility apps on the Google Play Store, researchers at Check Point Software Technologies nicknamed it “Clast82.” The company, which is not new to identifying the flaws of the big web giants, explained that the eyedropper would have bypassed the store’s protections to activate a second malware that gave the hacker access to the victims’ financial accounts. as well as control. from their smartphones.

How Malware Works

Dropper launches “malware as a service” Banker by AlienBot, a second-stage malware that targets financial applications bypassing the two-factor authentication codes for those services. At the same time, Clast82 is equipped with a Mobile Remote Access Trojan (MRAT), making the hacker the actual owner without the victim’s knowledge. Clast82’s “attack” method, as the researchers explained, is as follows:

  • Victim downloads a malicious utility application from Google Play, which contains the Clast82 dropper
  • Clast82 communicates with the C&C server to receive the configuration
  • Clast82 downloads the payload received from the settings and installs it on the Android device, in this case, AlienBot Banker
  • The hacker gains access to the victim’s financial credentials and proceeds to verify the victim’s smartphone in its entirety.

The applications involved

The hacker, again according to what the researchers reported, used legitimate and well-known open source Android apps. Here’s the list: Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR / Barcode Scanner MAX, eVPN, Music Player, tooltipnatorlibrary, QRecorder.

The researchers then reported the discovery to Google on January 28, 2021. On February 9, Google has confirmed that all Clast82 apps have been removed from the Google Play Store.

“The hacker behind Clast82 was able to bypass Google Play protections using a creative but worrying methodology, the researchers explain. With a simple manipulation of readily available third-party resources, such as a GitHub account, the hacker was able to take advantage of available resources to bypass Google Play Store protections. The victims thought they were downloading a harmless utility app from the official Android store, but instead it was a dangerous Trojan targeting their financial accounts.

The Instagram vulnerability that allows hackers to break into phones

Storm on WhatsApp, but Telegram would have security problems