Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Malicious apps on Google Play dropped banking Trojans on user devices
#1
Quote:Google has removed 10 apps from the Play Store which contained droppers for financial Trojans. 
 
 
On Tuesday, Check Point Research (CPR) said [color=var(--theme-link_a)]in a blog post that the Android applications appear to have been submitted by the same threat actor who created new developer accounts for each app.[/color]
 
The dropper was loaded into otherwise innocent-looking software and each of the 10 apps were utilities, including Cake VPN, Pacific VPN, BeatPlayer, QR/Barcode Scanner MAX, and QRecorder. 
 
The utilities' functionality is ripped from existing, legitimate open source Android apps. 
 
In order to avoid detection by Google's standard security protections, Firebase was used as a platform for command-and-control (C2) communication and GitHub was abused for payload downloads. 
According to the researchers, the hidden dropper's C2 infrastructure contains parameters -- enable or disable -- to 'decide' whether or not to trigger the app's malicious functions. The parameter is set to "false" until Google has published the app, and then the trap springs. 
 
Dubbed Clast82, CPR says the newly-discovered dropper has been designed to deliver financial malware. Once triggered, second-stage payloads are pulled from GitHub including[color=var(--theme-link_a)] mRAT and AlienBot.[/color]
"If the infected device prevents installations of applications from unknown sources, Clast82 prompts the user with a fake request, pretending to be 'Google Play Services' requesting the user to allow the installation every five seconds," the team says. 
 
MRAT is used to provide remote access to a compromised mobile device, whereas AlienBot facilitates the injection of malicious code into existing, legitimate financial apps. Attackers can hijack banking apps to obtain access to user accounts and steal their financial data, and the malware will also attempt to intercept two-factor authentication (2FA) codes. 
 
The researchers reported the malicious apps to Google on January 29, a day after discovery. By February 9, Google had confirmed that the malware had been removed from the Play Store. The apps accounted for roughly 15,000 installs.
 "The hacker behind Clast82 was able to bypass Google Play's protections using a creative, but concerning, methodology," commented Aviran Hazum, Check Point mobile research manager. "With a simple manipulation of readily available third-party resources -- like a GitHub account, or a FireBase account -- the hacker was able to leverage readily available resources to bypass Google Play Store's protections."


Source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Coyote: A multi-stage banking Trojan abusing the Squirrel installer mrtrout 0 703 02-13-2024 , 03:37 AM
Last Post: mrtrout
  It was a bad week for millions of people who rely on Google for apps and Chrome exten mrtrout 0 683 06-03-2023 , 04:09 AM
Last Post: mrtrout
  Android malware apps with 2 million installs spotted on Google Play tarekma7 0 622 12-05-2022 , 04:09 PM
Last Post: tarekma7
  400 Malicious Apps Disguised as Photo Editors, Utilities and Games Cut from iOS, Andr mrtrout 0 505 10-17-2022 , 06:47 AM
Last Post: mrtrout
  New Android malware on Google Play installed 3 million times mrtrout 0 650 07-14-2022 , 02:55 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)