The Malicious VPNs
Google recently removed 3 VPNs from the Play Store after they were found to contain a malware dropper. The removed malicious VPNs are Cake VPN, Pacific VPN and eVPN, all Android VPNs. Furthermore, 6 utility apps were discovered that contained the dropper and were thus also removed from the Play Store. These apps were BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and Qrecorder. Researchers from the cybersecurity firm Check Point Research discovered the previously unknown dropper, nicknamed Clast82, on 27 January. They informed Google the next day. By 9 February, Google confirmed that the malicious apps had been removed from the Play Store. The researchers stated in a report published yesterday that the malicious apps seemed to have been developed by one cybercriminal. The above-mentioned 9 apps have been downloaded approximately 15,000 times.
The Dropper’s Aim
Clast82 dropper’s aim is to deliver the AlienBot Banker trojan via various VPN, QR code scanner and music player apps. AlienBot is a banking trojan for Android devices from the Malware-as-a-Service (MaaS) family. Usually, this trojan is used by cybercriminals to inject malicious code into genuine financial applications to gain access to victims’ bank accounts. Once access has been gained, attackers steal victims’ funds and financial data. However, in this instance, AlienBot was used to load malware into newly created malicious apps that are based on legitimate utility apps. Rather than in pre-existing financial apps. For example, Check Point discovered that the malicious Cake VPN app is based on the open-source Cake mobile web browser. This browser for mobiles comes with a built-in VPN to help protect customer’s privacy.
Full Control of Compromised Device
Once activated, AlienBot loads a Mobile Remote Access Trojan (MRAT), a piece of malware used to remotely control victims’ mobile devices. With MRATs, attackers can fully control compromised devices and even intercept two-factor authentication codes sent to them from various genuine applications. “Upon taking control of a device, the attacker has the ability to control certain functions, just as if they were holding the device physically, like installing a new application on the device, or even control it with TeamViewer,” a Check Point Research blog states.
Clast82 Avoids Play Store Protect
Check Point researchers discovered that the cybercriminal behind the malicious VPN apps used legitimate readily available third-party resources in the campaign. The hacker used Google’s own Firebase platform for Command-and-Control (C2) communications. And GitHub as the repository for the malicious apps’ payloads. To avoid detection from Google Play Protect the cybercriminal used two techniques.
Enable Parameter
Firstly, the cybercriminal disabled Clast82 dropper’s malicious behavior during Google’s application evaluation period. The dropper was designed with an “enable” parameter that allows it to determine when to deliver its malicious payload. When the malicious apps were first loaded onto the Play Store, the apps contained a non-malicious payload. And the dropper’s parameter was set to “false”. Once Google’s evaluation period was over and Google published the apps, the dropper’s parameter was set to “true”. This triggered a message to be sent via Firebase to download the malicious payload, the AlienBot Banker trojan, from GitHub. Then, the non-malicious payload was swapped out for the malicious one.
Multiple Developer Users
Secondly, the bad actor created a new Google Play developer user for each malicious app. This allowed the cybercriminal to distribute different payloads to a compromised device, depending on the malicious app(s) the victim installed. AlienBot, and subsequently MRAT, are distributed when victims download the app onto their devices and install it. Furthermore, if the option to install apps from unknown sources was turned off on a device, Clast82 repeatedly urged the user with what appeared to be a legitimate Google Play Services prompt to enable the permission.
Researchers’ Recommendations
To avoid falling victim to AlienBot in malicious VPN or other apps, Check Point recommends that users install an Android antivirus application on their devices. “The dropper’s ability to remain undetected demonstrates the importance of why users should install a mobile security solution on their device. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using readily available third-party tools,” Aviran Hazum, manager of mobile research at Check Point warned. In such situations, only a solution that constantly monitors a device for abnormal behavior would be able to protect against such malicious apps. Some Android VPNs, such as Surfshark VPN, provide some protection against malware. However, for the best protection possible, it is best to install a piece of dedicated antivirus software. As well as using a VPN to ensure safe internet browsing and privacy.