A new malware dropper contained in 9 Android apps that were distributed through Google Play Store has been uncovered by cybersecurity researchers. This deploys a second stage malware capable of gaining intrusive access to the victims’ financial accounts and full control over their devices.

"This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT," Check Point researchers Aviran Hazum, Bohdan Melnykov, and Israel Wernik mentioned in a write-up published yesterday

The apps that were involved in the campaign include Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder. The malicious apps were removed from the Play Store on 9th February after Google came to know about the findings on 28th January.

To clear the vetting mechanisms of the app store, a number of tricky ways have been adopted by the malware authors. They use encryption to hide strings from analysis engines, design malicious versions of legitimate apps, or create fake reviews to entice users to download the apps. The fraudsters constantly innovate new tricks and develop the latest techniques to bypass Google’s vetting process.

Clast82 uses Firebase as a platform for command-and-control (C2) communication and subsequently makes use of GitHub to download the rogue payloads, in addition to leveraging authorized and reliable open-source Android applications to insert the Dropper functionality.

"For each application, the actor created a new developer user for the Google Play store, along with a repository on the actor's GitHub account, thus allowing the actor to distribute different payloads to devices that were infected by each malicious application," the researchers stated.

With the change in ownership, a popular barcode scanner app boasting more than 10 million installations turned rouge with only a single update, last month. Then again, The Great Suspender, a Chrome extension, was deactivated after reports that the add-on features could be abused to run arbitrary code from a remote server.

"The hacker behind Clast82 was able to bypass Google Play's protections using a creative, but concerning, methodology," Hazum said. "With simple manipulation of readily available 3rd party resources — like a GitHub account or a FireBase account — the hacker was able to leverage readily available resources to bypass Google Play Store's protections. The victims thought they were downloading an innocuous utility app from the official Android Market, but what they were really getting was a dangerous trojan coming straight for their financial accounts."