A handful of malware-filled Android apps have been removed from the Google Play Store yet again, and they all took advantage of the latest malware design trend: disguised as harmless clones of useful apps to escape Google’s initial detection , transforming into worthless malware as soon as people download and use them.
The good news? The apps in question didn’t seem to have many downloads. Thousands rather than millions at best, so chances are quite high that you’ve never heard of the affected apps. However, whoever was responsible for the attack put them all under different developers, so there’s no commonality to look for.
Aside from the app names, which we’ll list in a moment, the only other unifying features are that the attacker used the same developer email address for each app – ‘[email protected]’ – and that all apps link to the same privacy page. online (“https://gohhas.github.io”, followed by the name of the app).
If you still have any of these apps installed on your Android, it’s time to uninstall them:
- Cake VPN
- Pacific VPN
- eVPN
- BeatPlayer
- QR / Barcode Scanner MAX
- Music player
- tooltipnatorlibrary
- Recorder
While you cannot check the developer name of an app directly on your smartphone, contact information or privacy policy, you can tap through to see if the app even exists in the Google Play Store. On my Pixel, that’s as easy as going Settings> Apps & notifications> View all [number] apps> [app name] > Advanced> App detailsThat will lead you to Google’s online listing for the app. If it doesn’t exist and the said app has the same name as one of the apps I just mentioned, you have malware installed.
G / O Media can receive a commission
As for how said malware works, Check Point Research has a good article:
Check Point Research (CPR) recently discovered a new Dropper spreading through the official Google Play Store, which downloads and installs the AlienBot Banker and MRAT.
This Dropper, called Clast82, uses a series of techniques to avoid detection by Google Play Protect detection, successfully completes the evaluation period and changes the payload from a non-malicious payload to the AlienBot Banker and MRAT.
The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial applications in a first step. The attacker gains access to the victims’ accounts and ultimately takes full control of their device. When the attacker takes control of a device, he has the ability to control certain functions as if he were physically holding the device, such as installing a new application on the device or even controlling it with TeamViewer.
While chances are slim, I recommend grabbing Malwarebytes and getting yourself a good (free) scan. While you’re at it, change the password for financial accounts associated with apps you have installed on your Android. If Malwarebytes doesn’t find anything on your device, you have two choices: try it out and hope for the best, or be extra security-focused and factory reset your device, installing everything from scratch.
I am not sure which option to choose and I have not been able to find much information on how to remove AlienBot or MRAT. You can consider installing one or two other scan apps to see if they pick up anything (F-Secure, or even Avast), and if everyone agreed that nothing was going on, you could let that happen – after triple confirmation via the aforementioned Apps & Notifications screen> Special app access that there were no strange-named apps with administrator privileges on your device.
