Google has yet again removed 10 applications from its Play Store. The company claims that these apps brought financial Trojans to Android devices. These applications were making users unsafe who also had banking applications installed on their smartphones.
This came after Check Point Research (CPR) pointed out in a blog post that these Android applications appear to have been submitted by the same threat actor who created new developer accounts for each app.
According to the post, these applications were coming with Droppers, which downloads and installs the AlienBot Banker and MRAT.
In the blog post, CPR said, “This Dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT.”
“The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device. Upon taking control of a device, the attacker has the ability to control certain functions just as if he was holding the device physically, like installing a new application on the device, or even control it with TeamViewer,” they further added.
The dropper was found in some innocent-looking apps, including Cake VPN, Pacific VPN, BeatPlayer, QR/Barcode Scanner MAX and QRecorder.
The website further claims, “After the malicious payload is successfully installed, the dropper app launches the payload downloaded. In the case of Clast82, we were able to identify over 100 unique payloads of the AlienBot, an Android MaaS Banker (Malware as a service) targeting financial applications and attempting to steal the credentials and 2FA codes for those applications.”