"10 Google Play Apps Found Containing Banking Malware"

Security researchers from Check Point have discovered a malware dropper hidden inside 10 Google Play apps, which could have put users at risk of remote access and banking malware.  Clast82 dropper was found inside various applications on the official marketplace, including VPNs, QR readers, and music players.  Clast82 drops the malware-as-a-service AlienBot Banker, which is designed to circumvent two-factor authentication codes on banking apps to give attackers access to users’ accounts.   The dropper is also capable of loading a mobile remote access trojan (MRAT) capable of remotely controlling the victim’s phone with TeamViewer.  It is designed to bypass Google Play Protect with two main tactics. The first is by using Google-owned Firebase for command-and-control (C&C) communications.  Second, it downloads the payload from GitHub, creating a new developer user for Google Play for each application, alongside a repository on their GitHub account. Doing this enabled the attacker to distribute different payloads to devices infected by each malicious version of the app.  After reporting its findings to Google on January 28, 2021, Check Point saw that all Clast82 apps were removed from Google Play on February 9.

Infosecurity reports: "10 Google Play Apps Found Containing Banking Malware"