Google has removed a bunch of malicious VPNs from the Play Store
Malicious apps contained a dropper used to spread the AlienBot Banker malware
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Googlehas removed nine malicious utility andVPNapps from the Play Store after they were found to contain a malware dropper byCheck Point Research.
The cybersecurity firm recently discovered a new dropper spreading via theGoogle Play Storewhich it has dubbed Clast82. Unlike other malware droppers, Clast82 has the ability to avoid detection byGoogle Play Protect, successfully complete Google’s evaluation period and change its payload to the AlienBot Banker and MRAT.
The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial apps. An attacker can obtain access to victims' accounts and even completely control their device just as if they were holding it physically.
While Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and Qrecorder have all now been removed from theGoogle Play Store, if you have any of these apps installed on your devices, you should delete them immediately.
Avoiding detection
During its investigation of the Clast82 dropper, Check Point uncovered the infrastructure used by the threat actor behind it to distribute and maintain the campaign.
For each application, the actor created a new developer user for the Google Play Store along with a repository on theirGitHubaccount which allowed them to distribute different payloads to devices that were infected with each of the malicious apps.
The Clast82 dropper is able to avoid detection during Google’s evaluation period due to the fact that the configuration sent from the Firebase C&C server used to control it contains an “enable” parameter. Based on the parameter’s value, the malware will then “decide” whether or not to trigger its malicious behavior. This parameter is set to “false” and will only change to “true” after Google has published one of the threat actor’s malicious apps on the Play Store.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
To prevent falling victim to the AlienBot malware, Check Point recommends that users carefully scrutinize any apps before downloading them and the cybersecurity firm also recommends that users install anAndroid antivirus appon their smartphones.
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Should your VPN always be on?
3 reasons why PIA fell in our best VPN rankings
Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’
