Nine Apps on the Play Store Contained the ‘Clast82’ Trojan Dropper

  • Researchers discovered a set of nine Android apps that can fetch malware from GitHub.
  • The apps remain innocuous until Google approves them for publication on the Play Store.
  • Most of the apps are free VPN solutions, audio recording, and music playing software.

Researchers from Check Point have discovered at least nine apps on the Google Play Store that contained a trojan dropper named Clast82. The finding and reporting happened at the end of January 2021, while Google confirmed removing all dangerous apps on February 9, 2021. However, there’s a good chance that many users out there are still using the dangerous apps, as their deletion from the store doesn’t automatically remove them from people’s devices.

The nine dropper apps are the following:

  • Cake VPN
  • Pacific VPN
  • eVPN
  • BeatPlayer
  • QR/Barcode Scanner MAX
  • eVPN (different package)
  • Music Player
  • tooltipnatorlibrary
  • QRecorder

These apps managed to go through Google’s evaluation by keeping their malicious behavior deactivated until they are accepted. Once the app is published on the Play Store, an “enable” parameter is activated, and the dropper can begin fetching a variety of additional payloads onto the compromised device.

From banking trojans to remote access tools, there’s a wide range of things that are passed through Clast82. Check Point says they detected over 100 unique AlienBot payloads, a MaaS Banker that can steam 2FA codes and credentials.

Source: Check Point

The C&C platform relies on Firebase, while the hosting platform where the payload is fetched from is GitHub. The C&C servers used for this purpose reside on the following domains:

  • boloklava87[.]club
  • enegal-23[.]net
  • balabanga90[.]online
  • dsfikj2dsfmolds[.]top
  • blakarda[.]site
  • sponkisn[.]site

For the installation of the payload, the app has to pull out a special trick to get the user's permission, and that is to serve a fake prompt that is pretending to come from Google Play Services.

Source: CheckPoint

Some of the risky apps listed the email address "sbarkas77590@gmail.com," which is the same as the one used by the GitHub repository owner that hosts the payloads. This tells us that the actor has undertaken large chunks of the operation on his/her own.

To protect yourself from threats that become malicious after they have been approved for publication on the Play Store, you have to use some kind of a mobile protection suite from a reputable vendor. Google’s initial reviews are far from being enough, and no matter how trustworthy an app may appear to be, it can always let hell loose at any point in the future. Also, in this particular case, we see four out of the nine malicious apps being free VPNs, so this is just another example of why you should avoid this software category entirely.

Latest
How to Watch Dark Side of the Ring Season 4 Online: Stream the Docuseries from Anywhere
Dark Side of the Ring Season 4 is coming, and the fans are more excited than ever. For those who are unfamiliar,...
How to Watch Doubling Down with the Derricos Season 4 Online from Anywhere
Doubling Down with the Derricos Season 4 is on its way! The upcoming episodes will have more love, joy, family, and, of...
How to Watch Hot Wheels: Ultimate Challenge Online from Anywhere
Hot Wheels: Ultimate Challenge is a new car makeover competition show, and the best part is that you’ll be able to stream...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari