A Doppler that spreads through Google Play Store to deliver financial Trojans has been discovered. Named Clast82, the dropper was found spreading AlienBot Banker and MRAT trojans on infected Android devices.
Grabbing the limelight
Ten utility applications, including Cake VPN, QRecorder, Pacific VPN, QR/Barcode Scanner MAX, and BeatPlayer were spoofed by Clast82 while numerous other innocuous software were impersonated.
- AlienBot is used to inject malicious code into genuine applications installed in smartphones, while the MRAT provides remote access to compromised devices.
- Both these banking Trojans enable the threat actors to take over banking applications, steal financial data, and also intercept 2FA codes on the victims’ devices.
Tactics, Techniques, and Procedures
Several tactics to evade detection and dupe victims into installing malicious applications have been used by the operators of this campaign.
- The attacker simply manipulated readily available third-party resources, such as GitHub/FireBase accounts, to bypass Google Play’s protection.
- The hidden C2 infrastructure of the Doppler has parameters such as, enable or disable – to choose or decide when to trigger the application’s malicious functions as required.
- A fake request pretending to be from Google Play Services to allow the installation every five seconds is displayed through the notifications should the user deny permission or if the device prevents the installations of applications from unknown sources.
The attackers are financially motivated and it is quite evident. For users who use mobile banking for their daily operations and stand a chance of getting duped for their hard-earned money, this threat could prove to be fatal. Due to such reasons, our internal experts recommend having an anti-malware application from the eScan family of cybersecurity solutions installed on their devices. Meanwhile, Google confirmed the removal of the malware from the Play Store.
To read more, please check eScan Blog
