A handful of malware-laden Android apps were once again removed from the Google Play Store, and everyone was taking advantage of the latest trend in malware design: masquerading as innocent clones of useful apps to escape Google’s initial detection and transform it low-quality malware as soon as people started downloading and using them.
The good news? The applications in question did not appear to have a ton of downloads. Thousands, at best, instead of millions, so the chances are pretty high that you haven’t heard of any of the affected apps. Whoever was responsible for the attack, however, configured them under different developers, so that there are no common points to look for.
In addition to the application names, which we will list in a second, the only other unifying characteristics are that the attacker used the same developer email for each one – “[email protected]” – and all applications are linked to the same page online privacy policy (“https://gohhas.github.io,” followed by the name of the application).
If you still have any of these apps installed on your Android, it’s time to discard them:
- VPN Cake
- Pacific VPN
- eVPN
- BeatPlayer
- QR / Barcode Scanner MAX
- Music player
- tooltipnatorlibrary
- QRecorder
Although you cannot verify the name of the developer of an application directly on your smartphone, nor your contact information or privacy policy, you can I tap to see if the app still exists on the Google Play Store. On my Pixel, it’s as easy as going Settings> Apps & notifications> See all [number] applications> [app name] > Advanced> Application details. This will take you to Google’s online listing for the application. If it does not exist and the application has the same name as one I just listed, you have installed the malware.
G / O Media can receive a commission
As for how this malware works, Check Point Research has a great article:
Check Point Research (CPR) recently discovered a new Dropper that spreads through the official Google Play store, which downloads and installs AlienBot Banker and MRAT.
This Dropper, dubbed Clast82, uses a series of techniques to avoid detection by Google Play Protect, successfully completes the evaluation period and changes the discarded payload of a non-malicious payload for AlienBot Banker and MRAT.
The AlienBot malware family is Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, in a first step, to inject malicious code into legitimate financial applications. The attacker gains access to the victims’ accounts and eventually completely controls the device. By taking control of a device, an attacker has the ability to control certain functions as if he were physically holding the device, such as installing a new application on the device, or even controlling it with TeamViewer.
Although the chances are low, if you installed any of these obscure apps on your device, I recommend taking Malwarebytes and giving yourself a good time (free) Scan. While you’re at it, change the password for all financial accounts related to the apps you’ve installed on your Android. If Malwarebytes doesn’t find anything on your device, you have two options: take it and hope for the best or have an extra security concern and reset the device to its original configuration, reinstalling everything from scratch.
I’m not sure which option I would choose and I couldn’t find much information about removing AlienBot or MRAT. You can consider installing one or two other scanning applications to see if they detect anything (F-Secureor same Avast), and if everyone agreed that there was nothing wrong, you could let it be – after the triple confirmation by means of the aforementioned “Applications and notifications” screen> Special access to applications that there were no apps with strange names with administrative permissions on your device.
