A handful of malware-filled Android apps were again removed from the Google Play Store, and all took advantage of the latest trend in malware design: disguising themselves as innocent clones of useful apps to avoid initial detection by Google, and turning them into crappy ones Malware as soon as people start downloading and using it.
The good news? The apps in question didn’t seem to have many downloads. At best, thousands instead of millions, so the chances are pretty high that you haven’t heard of any of the affected apps. Whoever was responsible for the attack set them all up under different developers so there is no common ground to look for.
Aside from the app names, which we’ll list in a second, the only other common characteristic is that the attacker used the same developer email for each app – “sbarkas77590@gmail.com” – and all apps on link to the same data protection page online (“https://gohhas.github.io”, followed by the name of the app).
If you still have any of these apps installed on your Android, it’s time to drop it:
- Cake VPN
- Pacific VPN
- eVPN
- BeatPlayer
- QR / barcode scanner MAX
- Music player
- tooltipnatorlibrary
- QRecorder
You cannot search for the name of the developer of an app, contact information or privacy policy directly on your smartphone. However, you can tap on it to see if that app is still on the Google Play Store at all. It’s as easy as it gets on my Pixel Settings> Apps & notifications> Show all [number] Apps> [app name] > Advanced> App Details. This will take you to Google’s online list for the app. If it doesn’t exist and the app has the same name as one of the just listed, you have malware installed.
G / O Media can receive a commission
Screenshot: David Murphy
How this malware works Check Point Research has a great summary:
Check Point Research (CPR) recently discovered a new dropper that is spreading through the official Google Play Store, downloading and installing AlienBot Banker and MRAT.
This dropper, named Clast82, uses a number of techniques to avoid detection by Google Play Protect, successfully completes the evaluation period, and changes the payload dropped by a non-malicious payload to AlienBot Banker and MRAT.
The AlienBot family of malware is a Mala-as-a-Service (MaaS) for Android devices that an attacker can use to insert malicious code into legitimate financial applications as a first step. The attacker gains access to the victims’ accounts and ultimately controls their device completely. If the attacker takes control of a device, they can control certain functions as if they were physically holding the device, e.g. B. install a new application on the device or even control it with TeamViewer.
While the chances are slim, if you have one of these seedy apps installed on your device, I recommend grabbing Malwarebytes and giving yourself a good one (free) to scan. Meanwhile, change the password for all financial accounts related to apps that you have installed on your Android. If Malwarebytes can’t find anything on your device, you have two options: make yourself comfortable and hope for the best, or be extra security conscious and factory reset your device by reinstalling everything from scratch.
I’m not sure which option I would go with and I couldn’t find a lot of information on how to remove AlienBot or MRAT. You can install one or two other scanning apps to see if they’re picking up something (F-Secure, or also Avast), and if everyone agreed that nothing was wrong, you could allow it – after confirming the above three times Apps & Notifications screen> Special app access that there weren’t any oddly named apps that had administrative privileges on your device.
Screenshot: David Murphy