Site navigation

Malware on Google Play Store Apps Let Attackers Takeover Phones

Michael Behr


Google Play Store malware

The malware was able to evade detection during the evaluation period, putting users’ financial details at risk.

New research from cybersecurity specialists Check Point has found malware on eight apps that were available from the Google Play Store.

The findings show that a new dropper, designed to let the attacker obtain access to victims’ financial accounts and take control of their phone, was contained in the apps. The apps mostly included VPNs, along with QR readers and music players.

Clast82, as the malware was dubbed, can avoid detection by Google Play Protect, allowing it to hide during the app’s evaluation period.

The dropper’s malicious behaviour can be deactivated during evaluation before being changed to drop from a malicious payload – the AlienBot Banker and mobile remote access trojan (MRAT), using GitHub as a third-party hosting platform.

AlienBot is a malware-as-a-service piece of code designed for Android devices. Once downloaded from the Google Play Store and installed, it allows criminals to inject malicious code into legitimate financial applications. It can bypass two-factor authentication codes on banking apps to let criminals access financial data. Over time, attackers can take full control of the device and install new applications or even control it with TeamViewer.

“The victims thought they were downloading an innocuous utility app from the official Android Market, but what they were really getting was a dangerous Trojan coming straight for their financial accounts,” said Check Point manager of mobile research Aviran Hazum.


According to Check Point, the apps were all likely created by the same actor.

The malicious apps were Cake VPN; Pacific VPN; eVPN; BeatPlayer; QR/Barcode Scanner MAX; Music Player; tooltipnatorlibrary; and QRecorder.

After discovering the apps in late January, Check Point alerted Google, and the malicious apps were all removed from the store by February 9th.

The fact that Clast82 was able to remain undetected during the evaluation period demonstrates the importance of mobile security solutions. Since it changes the payload it drops after the evaluation period, it is particularly difficult to catch. As such, Check Point noted, users would need a solution that monitors the device itself and constantly scans network connections and behaviours by application.

Michael Behr

Senior Staff Writer

Latest News

%d bloggers like this: