Check Your Android for Malicious Clones of These Useful Apps
Several malicious Android apps have been removed from the Google Play Store again, all taking advantage of the latest trend in malware development: disguising themselves as innocent clones of useful apps to avoid initial detection by Google, and morphing into trashy malware as soon as people start. download and use them.
Good news? It looks like the apps in question didn’t have a lot of downloads. Thousands at best, not millions, so chances are good you haven’t heard of any of the affected apps. However, whoever was responsible for the attack, they were all subordinate to different developers, so there is nothing in common.
Aside from the application names, which we will list in a second, the only common characteristics are that the attacker used the same developer email address for each of them – “[email protected]”, and all applications link to the same page confidentiality. online (“https://gohhas.github.io” followed by the application name).
If you still have any of these apps installed on your Android, it’s time to abandon them:
- VPN cake
- Pacific VPN
- eVPN
- BeatPlayer
- QR / Barcode Scanner MAX
- Music player
- tooltipnatorlibrary
- QRecorder
While you cannot check the app developer’s name directly on your smartphone, their contact information or privacy policy, you can click on it to see if the said app even exists on the Google Play store. On my Pixel, it’s as easy as going to Settings> Apps & notifications> See all [number of] apps> [app name]> More> App info . This will take you to the online Google app listing. If it does not exist and the specified application has the same name as one of the ones I have listed, then you have installed malware.
Regarding how said malware works, Check Point Research has an excellent article:
Check Point Research (CPR) recently discovered a new dropper distributed through the official Google Play store that downloads and installs AlienBot Banker and MRAT.
Called Clast82, this dropper uses a number of methods to avoid detection through Google Play Protect detection, successfully completes the evaluation period, and changes the payload dropped from the unprotected payload to AlienBot Banker and MRAT.
The AlienBot malware family is malware as a service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial applications as a first step. The attacker gains access to the accounts of the victims and ultimately has complete control over their device. After gaining control of a device, an attacker is able to control certain functions in the same way as if he were physically holding the device, for example by installing a new application on the device or even controlling it using TeamViewer.
While the chances are slim, if you’ve installed any of these questionable apps on your device, I recommend grabbing Malwarebytes and doing a good ( free ) scan. While you are doing this, change the password for any financial accounts associated with the apps you have installed on your Android. If Malwarebytes doesn’t find anything on your device, you have two options: survive it and hope for the best, or be extra secure and reset your device to factory settings, reinstalling everything from scratch.
I’m not sure which option to choose and I couldn’t find much information on uninstalling AlienBot or MRAT. You might consider installing one or two other scanning apps to see if they are catching anything ( F-Secure or even Avast ), and if everyone agrees it’s okay, you can let that be – after Confirmation three times via the aforementioned Apps & Notifications screen> Special App Access so that your device doesn’t have strangely named apps that use administrative permissions.