Researchers at Check Point recently discovered that the operator of a malware tool that breaks into mobile users' financial accounts was employing a novel new method to sneak its malware into Google's official Android Play mobile app store.
The method involved using Google's own Firebase platform for command-and-control (C2) communications and using GitHub as a third-party hosting platform for downloading the main malware. It allowed the attacker to fool and pass the security checks that Google conducts on all applications before they can be uploaded to its app store or downloaded on a device.
Check Point said its researchers in January discovered a new malware dropper hidden inside nine legitimate and known Android utility apps on Google Play store. The poisoned apps included several VPNs, a barcode reader, a music player, and a voice call recorder. "Those apps [were] based on open-source projects," says Aviran Hazum, Check Point's manager of mobile research. "The actor [could] just download the code, insert the malicious components, and compile the app."
When a user downloaded any of the weaponized apps — which Google has now removed from its Play store — the app would perform as expected even as it executed malicious activity in the background, Hazum said.
The researchers found that the dropper, called Clast82, was designed specifically to evade detection by Google's Play Protect scanning mechanisms during the app evaluation period. Once the evaluation was complete, the malware author essentially turned on the malicious behavior and got the dropper to install the AlienBot Banker and MRAT – two mobile malware families.
To achieve this, the malware operator used an ..
Support the originator by clicking the read the rest link below.
