April 21, 2021 By David Bisson 2 min read

Clast82, a malware dropper that helps attackers spread the AlienBot mobile remote access Trojan and malware-as-a-service, has been detected on Google’s Play Store. After Clast82 sought to evade Google’s detection, it was patched in February. Read on to find how enterprise can protect employees against this and other types of malware.

Inside the Malicious Dropper

Check Point found that the Clast82 malware dropper inserted malicious code into Android apps on Google Play.

Those apps started a service from MainActivity upon launch in order to start a dropping flow known as LoaderService. It also started a foreground service to drop the mobile remote access Trojan. As part of this process, Clast82 had to get around the need to show an ongoing notification to a user. It did so by displaying a ‘neutral’ notification, such as ‘GooglePlayServices,’ with no other text.

From there, two of Clast82’s evasion techniques took effect. First, the malware dropper used Firebase as a command-and-control communication platform. Firebase responded with a configuration containing an ‘enable’ parameter whose value determined whether Clast82 triggered. By default, that parameter read ‘false.’ It changed to ‘true’ after Google published the malware dropper on its Play Store.

Second, Firebase received a payload path from GitHub and called the ‘installApp’ method to finalize and launch the payload.

Some affected devices block installations from unknown sources. In those cases, Clast82 prompted the user to allow installation every five seconds under the guise of ‘Google Play Services.’

Check Point’s researchers learned that that the threat actor behind Clast82 created a new developer user for each new app on Google’s Play Store. They also created a new repository on their GitHub account. That let the attackers serve up different payloads, including the remote access Trojan.

Following their initial report on Jan. 27, Check Point notified Google about the malicious apps a day later. The tech giant confirmed on Feb. 9 that it had removed the affected apps from its Play Store.

The AlienBot Remote Access Trojan

The researchers at Check Point observed Clast82 dropping over 100 different samples of AlienBot. This mobile remote access Trojan is known for targeting financial apps with malicious code in order to steal credentials and two-factor authentication codes. At that point, the malware-as-a-service can then empty the victim’s banking account, install malicious apps and/or control the infected device with TeamViewer.

AlienBot isn’t a new malware. ThreatFabric examined the mobile remote access Trojan and found that it included a fork of the first variant of Cerberus. The people behind Cerberus shut it down in 2020, after which fraudsters began switching to Alien as their preferred Android-based MaaS tool.

How to Defend Against Clast82

Organizations need to defend themselves and their users against Clast82 or another mobile remote access Trojan. They can do this by using mobile device management to limit or terminate the use of some mobile apps installed on devices that interact with corporate data. At the same time, they should consider using threat intelligence to track new digital threats and implement defensive measures as a precaution.

More from News

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

5 takeaways from the White House cybersecurity workforce discussion

3 min read - The Office of the National Cyber Director (ONCD) recently hosted a 3-hour discussion on creating a strong cybersecurity workforce; the results are enlightening. The session involved representatives from more than 30 public and private organizations spanning 12 industries. The ONCD advises the United States President on cybersecurity policy and strategy. Its mission is to advance national security, economic prosperity and technological innovation through cybersecurity policy leadership. “In our increasingly digital world, where cyber threats are growing more frequent and more…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today