Researchers on Tuesday published a serious warning for Android device owners, alerting them to the discovery of eight dangerous apps in the Google Play Store that could have allowed an attacker to take over a victim’s smartphone as well as drain their bank account.
That’s according to Check Point Research, which said in its report about the discovery that the cyber threat intelligence firm actually found the apps back on January 27 and notified Google about them the next day. One month ago today, Google confirmed that they’d been removed from the Play Store — but you still need to remove any of these from your device yourself, if you have them. So, what exactly happened here? Read on for the details, as well as the names of all eight of the identified Android apps.
The Check Point researchers explained that what they discovered is a malware dropper, called “Clast82,” which was spreading via the eight apps. What’s scary about it is that the dropper was able to avoid being caught by Google Play Protect, and it also includes a remote access trojan so nasty that one of the researchers told Forbes it lets the attacker take “full control over a victim’s phone — making it as if the hacker is holding the phone physically.”
According to the Check Point findings, this particular dropper seems to prefer the AlienBot Malware-as-a-Service (MaaS), which lets an attacker remotely inject malicious code into legitimate financial applications on Android devices. “The attacker obtains access to victims’ accounts, and eventually completely controls their device,” the researchers explain. “Upon taking control of a device, the attacker has the ability to control certain functions, just as if they were holding the device physically, like installing a new application on the device, or even control it with TeamViewer.”
The eight apps in question, along with their package names, are as follows, per Check Point Research:
- Cake VPN (com.lazycoder.cakevpns)
- Pacific VPN (com.protectvpn.freeapp)
- eVPN (com.abcd.evpnfree)
- BeatPlayer (com.crrl.beatplayers)
- QR/Barcode Scanner MAX (com.bezrukd.qrcodebarcode)
- Music Player (com.revosleap.samplemusicplayers)
- tooltipnatorlibrary (com.mistergrizzlys.docscanpro)
- QRecorder (com.record.callvoicerecorder)
Again, you should absolutely delete any of these apps immediately if you find them on your device. It would probably also be a good idea to change any passwords associated with your financial accounts, too, since accessing those is one of the worries here.
While hackers can be quite clever and creative in the degree to which they’ll go to hide the intentions and true nature of their apps, this is yet another opportunity to be reminded that you should always double-check the apps you’re preparing to download and the identity of the developers behind them. It doesn’t appear to be a situation where the apps above were able to infect millions of devices before researchers caught on to them — this time. But hackers who are truly committed will keep coming back, undaunted, until they score.