Check Point have discovered malware dropper hidden inside 10 Google Play apps and they are believed to be able to put the user at risk of remote access and banking malware.
Check Point added that these applications contained a malware called Clast82 dropper and it is designed to circumvent two-factor authentication codes on banking apps to give attackers access to users’ accounts. It is capable of loading a mobile remote access trojan (MRAT) and it is capable of remotely controlling the victim’s phone with TeamViewer.
These are the malicious applications that Check Point had identified.
- Cake VPN
- Pacific VPN
- eVPN – 2 versions
- BeatPlayer – 2 versions
- QR/Barcode Scanner MAX
- Music Player
Apart from these, it downloads the payload from GitHub and creates a new developer user for Google Play for each application. This enables the attacker to distribute different payloads to devices infected by each malicious version of the app.
Aviran Hazum, manager of mobile research at Check Point, said that these applications are disguised as an innocuous utility app from the official Android market, however, users are unaware what they are really getting was a dangerous Trojan coming straight for their financial accounts.
“The dropper’s ability to remain undetected demonstrates the importance of why users should install a mobile security solution on their device. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using readily available third-party tools.”
Check Point reported its findings to Google on January 28 2021 and they saw that all Clast82 apps were removed from Google Play on February 9.
If you still have these applications installed in your phone, remove them immediately!