What is one of the scariest scenarios involving a malicious app? How about one that can get past the protection offered by Google Play Protect (which scans the apps you download looking for malware) and gets into your financial apps? According to Check Point Research, a dropper called Clast82 can avoid detection by Google Play Protect and can change the payload from a non-malicious app into one that can access financial accounts and take control of the victim’s handset.
Check Point found that the dropper, set off by a remote attacker, injects malicious code into legitimate financial apps. How dangerous is this? Check Point says, “Upon taking control of a device, the attacker has the ability to control certain functions, just as if they were holding the device physically, like installing a new application on the device, or even control it with TeamViewer.” The latter is used by companies to gain remote access to help service a device that is not working.
Because the attacker can change the original behavior of the app that gets infected, the scanning used with Google Play protect won’t help discover its malicious nature. Check Point says that “A solution that monitors the device itself, constantly scanning network connections and behaviors by application would be able to detect such behavior.”
The initial discovery was made on January 27th and the issue was discussed with Google the very next day. On February 9th, Google confirmed that all Clast82 apps were removed from the Google Play Store. Even though they have been removed from the Android app storefront, they still might be on your phone. If you have any of the following nine apps on your handset, uninstall them immediately. The name of the app is followed by its package name in parenthesis:
- Cake VPN (com.lazycoder.cakevpns)
- Pacific VPN (com.protectvpn.freeapp)
- eVPN (com.abcd.evpnfree)
- BeatPlayer (com.crrl.beatplayers)
- QR/Barcode Scanner MAX (com.bezrukd.qrcodebarcode)
- Music Player (com.revosleap.samplemusicplayers)
- tooltipnatorlibrary (com.mistergrizzlys.docscanpro)
- QRecorder (com.record.callvoicerecorder)
- eVPN (com.abcd.evpnfree)
As we’ve said often, the best way to catch a malicious app before you download it is to read the comments section in the Play Store/App Store and look for comments pertaining to unusual behavior from the app.