April 21, 2021 By David Bisson 2 min read

Clast82, a malware dropper that helps attackers spread the AlienBot mobile remote access Trojan and malware-as-a-service, has been detected on Google’s Play Store. After Clast82 sought to evade Google’s detection, it was patched in February. Read on to find how enterprise can protect employees against this and other types of malware.

Inside the Malicious Dropper

Check Point found that the Clast82 malware dropper inserted malicious code into Android apps on Google Play.

Those apps started a service from MainActivity upon launch in order to start a dropping flow known as LoaderService. It also started a foreground service to drop the mobile remote access Trojan. As part of this process, Clast82 had to get around the need to show an ongoing notification to a user. It did so by displaying a ‘neutral’ notification, such as ‘GooglePlayServices,’ with no other text.

From there, two of Clast82’s evasion techniques took effect. First, the malware dropper used Firebase as a command-and-control communication platform. Firebase responded with a configuration containing an ‘enable’ parameter whose value determined whether Clast82 triggered. By default, that parameter read ‘false.’ It changed to ‘true’ after Google published the malware dropper on its Play Store.

Second, Firebase received a payload path from GitHub and called the ‘installApp’ method to finalize and launch the payload.

Some affected devices block installations from unknown sources. In those cases, Clast82 prompted the user to allow installation every five seconds under the guise of ‘Google Play Services.’

Check Point’s researchers learned that that the threat actor behind Clast82 created a new developer user for each new app on Google’s Play Store. They also created a new repository on their GitHub account. That let the attackers serve up different payloads, including the remote access Trojan.

Following their initial report on Jan. 27, Check Point notified Google about the malicious apps a day later. The tech giant confirmed on Feb. 9 that it had removed the affected apps from its Play Store.

The AlienBot Remote Access Trojan

The researchers at Check Point observed Clast82 dropping over 100 different samples of AlienBot. This mobile remote access Trojan is known for targeting financial apps with malicious code in order to steal credentials and two-factor authentication codes. At that point, the malware-as-a-service can then empty the victim’s banking account, install malicious apps and/or control the infected device with TeamViewer.

AlienBot isn’t a new malware. ThreatFabric examined the mobile remote access Trojan and found that it included a fork of the first variant of Cerberus. The people behind Cerberus shut it down in 2020, after which fraudsters began switching to Alien as their preferred Android-based MaaS tool.

How to Defend Against Clast82

Organizations need to defend themselves and their users against Clast82 or another mobile remote access Trojan. They can do this by using mobile device management to limit or terminate the use of some mobile apps installed on devices that interact with corporate data. At the same time, they should consider using threat intelligence to track new digital threats and implement defensive measures as a precaution.

More from News

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

3,000 “ghost accounts” on GitHub spreading malware

3 min read - In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts. A highly effective malware campaign Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that…

Warren Buffett’s warning highlights growing risk of cyber insurance losses

3 min read - The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.As noted by the Fitch Ratings report, "segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward." While this is good news for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today