Apps that spread AlienBot and MRAT malware found on Google Play

AlienBot and MRAT on Google Play
Written by Emma Davis

Check Point experts have again discovered the AlienBot banker and the MRAT Trojan on the Google Play Store. This time, nine applications included the Clast82 dropper, which was distributing this malware.

The malicious activity was reportedly involved in Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary and QRecorder applications. All of them copied the functionality of existing open source applications, and were removed from the official catalog in early February. In total, these applications have been installed about 15,000 times.

To avoid detection, the malware developer used Firebase as a control platform, and also used GitHub to download payloads. In addition, according to the researchers, the dropper itself made decision, when to activate the malicious functions.

Basically, the parameter was set to “false” until the app passed all Google reviews and was published on the Google Play Store.

If an infected device prevents the installation of applications from unknown sources, Clast82 shows the user a fake request posing as Google Play Services and asks the user for permission to install every five seconds.the experts say.

At the same time, for each malicious application, the hacker has a separate developer account on Google Play and a repository on GitHub. This allowed the attacker to distribute various payloads between infected devices more conveniently.

AlienBot and MRAT on Google Play
In terms of payloads, MRAT is used to remotely access a compromised device, while AlienBot is a MaaS tool (Malware-as-a-Service) that allows an attacker to inject malicious code into a victim’s legitimate financial applications. As a result, the attacker gains access to user accounts and full control over his device.

The attacker obtains access to victims’ accounts, and eventually completely controls their device. Upon taking control of a device, the attacker has the ability to control certain functions just as if he was holding the device physically, like installing a new application on the device, or even control it with TeamViewer.Check Point researchers explain.

Let me remind you that a Child helped to detect malware in the Google Play, downloaded over 2.4 million times.

Sending
User Review
4 (1 vote)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending