A handful of Android apps full of malware have been removed, once again, from the Google Play Store and they all took advantage of the latest trend in malware design: posing as innocent clones of useful apps to escape from Google’s initial detection and turning into malware once people started downloading and using them.
The good news? The apps in question didn’t seem to have a lot of downloads. Thousands, at best, instead of millions, so the odds are pretty high that you haven’t heard of any of the affected apps. However, whoever was responsible for the attack configured them under different developers, so there is no point in common to look for.
Apart from the names of the applications, which we will list in a second, the only other features that unite are that the attacker has used the same developer email for each “[email protected]” and all applications link to the same privacy page. online (“https://gohhas.github.io”, followed by the name of the application).
If you still have any of these apps installed on your Android, it’s time to leave them:
- Cake VPN
- Pacific VPN
- eVPN
- BeatPlayer
- Barcode scanner / QR MAX
- Music player
- tooltipnatorlibrary
- QRecorder
Although you can’t check the name of an app developer directly on your smartphone, your contact information or your privacy policy, you tin tap to see if this app still exists in the Google Play Store. On my Pixel, it’s as easy as doing it Settings> Applications and notifications> View all [number] applications> [app name] > Advanced> Application Details. This will give you the Google online list of the app. If it doesn’t exist and this app shares the same name as the one I just listed, you’ve installed malware.
G / O Media may receive a commission
As for how this malware works, Check Point Research has a great writing:
Check Point Research (CPR) has recently unveiled a new Dropper that extends through the official Google Play Store, which downloads and installs AlienBot Banker and MRAT.
This Dropper, dubbed Clast82, uses a number of techniques to prevent detection by detecting Google Play Protect, successfully completes the evaluation period, and changes the drop payload from an unintentional payload to AlienBot Banker and MRAT.
The AlienBot family of malware is a malicious program as a service (MaaS) for Android devices that allows a remote attacker, in a first step, to inject malicious code into legitimate financial applications. The attacker gains access to the victims’ accounts and finally completely controls their device. When you take control of a device, the attacker has the ability to control certain functions as if you were physically holding the device, such as installing a new application on the device, or even controlling it with TeamViewer.
While the odds are low, if you’ve installed any of these shady apps on your device, I recommend taking Malwarebytes and getting a good one.Free) scan. While you’re at it, change the password for all financial accounts related to the apps you’ve installed on your Android. If Malwarebytes finds nothing on your device, you have two options: fix it and wait for the best, or reset your device with extra security and factory reset, reinstalling everything from scratch.
I’m not sure which option I should go for and I couldn’t find much information about removing AlienBot or MRAT. You can install one or two other scanning applications to see if they collect anything (F-Safe, or even Avast), and if everyone agreed that there was nothing wrong, you could leave it, after confirming it through the aforementioned “Applications and notifications” screen> Special access to the application that there was no weird name application that had administrative permissions on your device.
