Clast82, a malware dropper that helps attackers spread the AlienBot mobile remote access Trojan and malware-as-a-service, has been detected on Google’s Play Store. After Clast82 sought to evade Google’s detection, it was patched in February. Read on to find how enterprise can protect employees against this and other types of malware.

Inside the Malicious Dropper

Check Point found that the Clast82 malware dropper inserted malicious code into Android apps on Google Play.

Those apps started a service from MainActivity upon launch in order to start a dropping flow known as LoaderService. It also started a foreground service to drop the mobile remote access Trojan. As part of this process, Clast82 had to get around the need to show an ongoing notification to a user. It did so by displaying a ‘neutral’ notification, such as ‘GooglePlayServices,’ with no other text.

From there, two of Clast82’s evasion techniques took effect. First, the malware dropper used Firebase as a command-and-control communication platform. Firebase responded with a configuration containing an ‘enable’ parameter whose value determined whether Clast82 triggered. By default, that parameter read ‘false.’ It changed to ‘true’ after Google published the malware dropper on its Play Store.

Second, Firebase received a payload path from GitHub and called the ‘installApp’ method to finalize and launch the payload.

Some affected devices block installations from unknown sources. In those cases, Clast82 prompted the user to allow installation every five seconds under the guise of ‘Google Play Services.’

Check Point’s researchers learned that that the threat actor behind Clast82 created a new developer user for each new app on Google’s Play Store. They also created a new repository on their GitHub account. That let the attackers serve up different payloads, including the remote access Trojan.

Following their initial report on Jan. 27, Check Point notified Google about the malicious apps a day later. The tech giant confirmed on Feb. 9 that it had removed the affected apps from its Play Store.

The AlienBot Remote Access Trojan

The researchers at Check Point observed Clast82 dropping over 100 different samples of AlienBot. This mobile remote access Trojan is known for targeting financial apps with malicious code in order to steal credentials and two-factor authentication codes. At that point, the malware-as-a-service can then empty the victim’s banking account, install malicious apps and/or control the infected device with TeamViewer.

AlienBot isn’t a new malware. ThreatFabric examined the mobile remote access Trojan and found that it included a fork of the first variant of Cerberus. The people behind Cerberus shut it down in 2020, after which fraudsters began switching to Alien as their preferred Android-based MaaS tool.

How to Defend Against Clast82

Organizations need to defend themselves and their users against Clast82 or another mobile remote access Trojan. They can do this by using mobile device management to limit or terminate the use of some mobile apps installed on devices that interact with corporate data. At the same time, they should consider using threat intelligence to track new digital threats and implement defensive measures as a precaution.

More from News

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…

Good Guys Decrypt Ransomware Targeting Charitable Groups

Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom. But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.” Sound too good to be true?…

Threat Groups Offer $240k Salary to Tech Jobseekers

Dark web forums are home to various individuals interested in conducting illicit or questionable activities. These forums offer opportunities such as the transaction of stolen data, Malware-as-a-Service, hacking services and invitations to collaborate in hacktivism. Cyber crime team members are recruited directly from the source: the dark web. What does this activity look like? Kaspersky recently conducted an analysis of 155 dark web forums from January 2020 to June 2022. They examined job postings and resumes that contained information about…