A malware dropper that paves the way for attackers to remotely steal data from Android phones has been spreading via nine malicious apps on the official Google Play store, according to researchers.
The malware is part of a campaign aimed at lifting victims’ financial information, but which also allows eventual takeover of mobile phones, according to Check Point Research.
The dropper, dubbed Clast82, was disguised in benign apps, which don’t fetch a malicious payload until they have been vetted and cleared by Google Play Protect. Google Play Protect is the store’s evaluation mechanism, meant to weed out apps with ill intent and malicious functions.
“During the Clast82 evaluation period on Google Play, the configuration sent from the
[Google] Firebase [command-and-control server] contains an ‘enable’ parameter,” according to Check Point’s research,
released on Tuesday. “Based on the parameter’s value, the malware will decide to trigger the malicious behavior or not. This parameter is set to ‘false’ and will only change to ‘true’ after Google has published the Clast82 malware on Google Play.”
Once ensconced in the App Store, Clast82 fetches the AlienBot banking trojan, or in some cases MRAT, the investigation found.
threatpost.com
