A handful of Android apps full of malware have been removed from the Google Play Store again and all take advantage of the latest trend in malware design: disguised as innocent clones of useful apps to get rid of Google’s initial detection and turning into bad malware after people started downloading and using them.
The good news? The applications in question did not appear to have a lot of downloads. Thousands, at best, rather than millions, so the chances are high enough that you haven’t heard of any of the affected applications. Whoever was responsible for the attack, however, configured them all under different developers, so there is no community to look for there.
Aside from the names of the apps, which we’ll list in a second, the only other joining features are that the attacker used the same developer email for each – “[email protected]” – and all apps link to the same online privacy page (“https://gohhas.github.io”, followed by the name of the application).
If you have any of these apps still installed on Android, it’s time to give them up:
- Cake VPN
- VPN VPN
- eVPN
- BeatPlayer
- QR scanner / MAX barcodes
- Music Player
- tooltipnatorlibrary
- QRecorder
Although you can’t verify the name of an app developer directly on your smartphone, or your contact information or privacy policy, you can tap to see if the app still exists on the Google Play Store. On my Pixel, it’s as easy as doing it Settings> Applications and notifications> View all [number] applications> [app name] > Advanced> Application details. This will lead you to Google display the application online. If it doesn’t exist and the application has the same name as one of the ones I just listed, you’ve installed malware.
G / O Media may receive a commission
As for how malware works, Check Point Research has excellent writing:
Check Point Research (CPR) recently discovered a new Dropper spread through the official Google Play store, which downloads and installs AlienBot Banker and MRAT.
This Dropper, nicknamed Clast82, uses a number of techniques to avoid detection by detecting Google Play Protect, successfully completes the evaluation period and changes the low payload from a non-malicious payload in AlienBot Banker and MRAT.
The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, as a first step, to inject malicious code into legitimate financial applications. The attacker gains access to the victims’ accounts and eventually completely controls their device. When taking control of a device, the attacker has the ability to control certain functions just as if he held the physical device, such as installing a new application on the device or even controlling it with TeamViewer.
Although the chances are slim, if you have any of these shady apps installed on your device, I recommend that you take Malwarebytes and get a good one (free of charge) scan. While you’re at it, change your password for any financial accounts related to the apps you’ve installed on Android. If Malwarebytes finds nothing on your device, you have two options: fix it and hope for the best, or be safe and reset your device again, reinstalling everything from scratch.
I’m not sure which option I would go with and I couldn’t find much information about removing AlienBot or MRAT. You may want to consider installing one or two other scanning applications to see if it picks up anything (F-Secure, or even Avast), and if everyone agreed that there is nothing wrong, you can leave this – after triple confirmation via Applications and notifications screen> Special access to applications that there were no weird applications with administrative permissions on your device.
