A handful of malware-laden Android apps have once again been removed from the Google Play Store, and they have all taken advantage of the latest malware design trend: detection by Google escape, and turn into bad malware once people start downloading and using it.
The good news? The programs involved apparently did not have many downloads. Thousands, at best, rather than millions, so the chances are pretty high that you have not heard of any of the apps involved. Whoever was responsible for the attack has set everyone up under different developers, so there is no commonality to look at.
Apart from the applications, which we will mention in a second, the only other characteristic features are that the attacker used the same developer email address for everyone – “[email protected]” – and all the programs link to the same privacy page online (“https://gohhas.github.io,” followed by the app name).
If you still have any of these apps installed on your Android, it’s time to drop them:
- Cake VPN
- Pacific VPN
- eVPN
- BeatPlayer
- QR / Barcode Scanner MAX
- Music player
- tooltipnator library
- QR recorder
Although you can not investigate the name of the developer of an app directly on your smartphone, nor the contact information or privacy policy can tap to see if the app no longer exists in the Google Play Store. On my Pixel it’s as easy as going Settings> Applications & Notifications> See All [number] program> [app name] > Advanced> App Details. This will redirect you to Google’s online list for the app. If it does not exist and the said app has the same name as the one I just listed, you have installed malware.
G / O Media can get a commission
As for how said malware works, Check Point Research has a good entry:
Check Point Research (CPR) recently discovered a new Dropper distribution via the official Google Play Store, which downloads and installs the AlienBot Banker and MRAT.
This dropper, called Clast82, uses a series of techniques to avoid detection by Google Play Protect detection, successfully completes the evaluation period and changes the payload that is from a non-malicious load to the AlienBot Banker and MRAT.
The AlienBot Malware Family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial applications in a first step. The attacker gains access to the accounts of the victims and eventually controls their device completely. When controlling a device, the attacker has the ability to control certain functions as if he were physically holding the device, such as installing a new application on the device, or even controlling it with TeamViewer.
Although the chances are slim, if you have installed one of these shady programs on your device, I recommend grabbing Malwarebytes and giving it your due (free) scan. While you’re at it, change the password for any financial accounts associated with apps you have installed on your Android. If Malwarebytes does not find anything on your device, you have two choices: make it difficult and hope for the best, or be extra security-focused and repair your device, and reinstall everything from scratch.
I’m not sure which option I’m going with, and I could not find much information about removing AlienBot or MRAT. You may want to consider installing one or two other scanners to see if they pick up anything (F-Secure, or even Avast), and if everyone agrees that there is nothing wrong, you can let it go – after triple confirmation via the above Apps and Notifications screen> Special app access that there are no foreign-named applications that enjoy administrative privileges on your device.
