And there is a dropper, dubbed Clast82, that employs a series of evasive techniques to avoid detection by Google Play Protect, which infiltrated 9 Android apps distributed via Google Play Store to deploy a second stage malware capable of gaining intrusive access to users' financial details.
According to Check Point researchers, the malware targets victims as well as taking full control of their devices by changing the payload dropped from non-malicious to the notorious AlienBot Banker and MRAT malware.
How the 9 Android Apps spread AlienBot Banker and MRAT Malware?
Check Point researchers discovered 9 Android apps used to spread the malware dropper (Clast82), namely: eVPN, BeatPlayer, Cake VPN, Pacific VPN, QR/Barcode, Music Player, tooltipnatorlibrary, Scanner MAX, and QRecorder. But Google had promptly removed those apps from the Play Store on February 9, after the findings were reported by Check Point.
On evaluation of Clast82 on Google Play, the configuration from the Firebase C&C shows an “enable” parameter and based on the parameter’s value, the malware can “decide” whether to trigger the malicious behavior or not. Albeit, this parameter is set to “false” by default and only changes to “true” after Google has published the app on Google Play store.
And the malware’s ability to run undetected shows the importance of a capable mobile security solution, as it isn't enough to scan the app only during the evaluation period, as a threat actor can easily change the app’s behavior after it is published using third-party tools.
How to Mitigate against such malicious mobile apps
As the Clast82 payload does not originate from Google Play Store, the scanning of apps would not have actually prevented the installation of the malicious app.
Therefore, the only solution is to monitor the device itself, and constantly scanning network connections and the behaviors of installed application would certainly be able to detect such malicious behavior.