Research by: Aviran Hazum, Bohdan Melnykov, Israel Wernik
Check Point Research (CPR) recently discovered a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT.
This Dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT.
The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device. Upon taking control of a device, the attacker has the ability to control certain functions just as if he was holding the device physically, like installing a new application on the device, or even control it with TeamViewer.
Figure 1 – Clast82 Malware on Google Play
General
This malware, dubbed CLAST82, used a series of techniques to avoid detection by Google Play Protect:
During the Clast82 evaluation period on Google Play, the configuration sent from the Firebase C&C contains an “enable” parameter. Based on the parameter’s value, the malware will “decide” to trigger the malicious behavior or not. This parameter is set to “false” and will only change to “true” after Google has published the Clast82 malware on Google Play.
Figure 2 – “Disabled” configuration sent from the Firebase C&C
Figure 3 – “Enabled” configuration sent from the Firebase C&C
The malware’s ability to remain undetected demonstrates the importance of why a mobile security solution is needed. It’s not enough to scan the app during the evaluation period, as a malicious actor can, and will change the applications behavior while using 3rd party tools. A solution that monitors the device itself, constantly scanning network connections and behaviors by application will be able to detect such behavior. Furthermore, the payload dropped by Clast82 does not originate from Google Play, thus the scanning of applications before submission to review will not prevent the installation of the malicious payload.
The Campaign
During our investigation of the Clast82 Dropper, we uncovered the infrastructure used by the actor for distributing and maintaining the campaign. For each application, the actor created a new developer user for the Google Play store, along with a repository on the actor’s GitHub account, thus allowing the actor to distribute different payloads to devices that were infected by each malicious application.
Figure 4 – The Actor’s GitHub Repositories
While looking into the fake developer accounts on Google Play belonging to the actor, we came across another commonality – the Developer email for all apps is the same email ‘[email protected]’, and the links to each application for the Privacy Policy page links to the same repository, also belonging to the same actor. (https://gohhas.github.io/<app-name>)
Figure 5 – Developer email and Privacy Policy Links
Figure 6 – GitHub status for the ‘Gohhas’ account
Figure 7 – Clast82’s campaign attack flow
Technical Analysis – Clast82
The actor used legitimate and known open sources android applications, which the actor added the malicious code into in order to provide functionality to the malicious dropper, along with the reason for the victim to download and install it from the official Google Play store. For instance, the malicious CakeVPN application is based on this GitHub repository.
On every application launch, it starts a service from MainActivity that starts a dropping flow called LoaderService. In addition, the MainActivity starts a foreground service to perform the malicious dropping task.
To comply with the Android restrictions, when an application creates a foreground service, it must also show an on-going notification to the user. Clast82 bypassed this by showing a “neutral” notification. In the case of the patient-zero, the CakeVPN app, the notification shown is “GooglePlayServices” with no additional text.
Figure 8 – calling the LoaderService from the OnCreate function
Figure 9 – The on-going notification hadling for Clast82
Figure 10 – the on-going notification sent my Clast82
The foreground service registers a listener for the Firebase real-time database, from which it receives the payload path from GitHub
Figure 11 – The communication with the Firebase C&C
Figure 12 – Pasring the Firebase data
After receiving the command from the Firebase C&C, the dropping flow starts with the ‘loadAndInstallApp’ function, which downloads the payload from GitHub, and calls the ‘installApp’ method to finalize the malicious activity.
Figure 13 – The loadAndInstallApp method
Figure 14 – The installApp method
If the infected device prevents installations of applications from unknown sources, Clast82 prompts the user with a fake request, pretending to be ‘Google Play Services’ requesting the user to allow the installation every 5 seconds.
Figure 15 – Fake prompt to user
After the malicious payload is successfully installed, the dropper app launches the payload downloaded. In the case of Clast82, we were able to identify over 100 unique payloads of the AlienBot, an Android MaaS Banker (Malware as a service) targeting financial applications and attempting to steal the credentials and 2FA codes for those applications.
Figure 16 – Execution of the malicious payload
Timeline
January 27th – Initial discovery
January 28th – Report to Google
February 9th – Google confirmed that all Clast82 apps were removed from the Google Play Store.
How to protect yourself
Harmony Mobile (formerly known as SandBlast Mobile) delivers complete protection for the mobile workforce by providing a wide range of capabilities that are simple to deploy, manage and scale. Harmony Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.
Appendix 1 – IOCs
name |
sha256 |
package_name |
Firebase account |
Payload URL |
Cake VPN |
52adb34cc01aa8d034d71672f3efe02c8617641ee77bf6c5eb6806e834550934 |
com.lazycoder.cakevpns |
https://cake-vpn-811be-default-rtdb.firebaseio[.]com |
https://github[.]com/clast82/publick/raw/main/none.apk |
Pacific VPN |
bb49fc80393647d379a8adc8d9dec2f9a21e86620ee950f94cdc341345df459c |
com.protectvpn.freeapp |
https://pacificvpn.firebaseio[.]com |
https://github[.]com/clast82/publick/raw/main/coon.apk |
eVPN |
232d3a2a172db5d0e02570a8ddbb8377dc5b8507aab85a51faf00631b51b7def |
com.abcd.evpnfree |
https://evpn-e7e0d.firebaseio[.]com |
https://github[.]com/clast82/publick/raw/main/noon.apk |
BeatPlayer |
609350daaadee74e6526dee7f533affdbf289f076837a2400017a928531c3da1 |
com.crrl.beatplayers |
https://beat-player-763d3-default-rtdb.firebaseio[.]com |
Not enabled |
BeatPlayer |
804fb97dbe7dc93f7ed37963f120ef5f5f7e6253501bd60f08433b0fd5c3db74 |
com.crrl.beatplayers |
https://beat-player-763d3-default-rtdb.firebaseio[.]com |
Not enabled |
QR/Barcode Scanner MAX |
82ea6fc0f57ae82cf7c51a039b6dee7b81b4ece0579a784ee35f02e71b833f3e |
com.bezrukd.qrcodebarcode |
https://qrscanner-aa57d.firebaseio[.]com |
https://github[.]com/clast82/publick/raw/main/coon.apk |
eVPN |
80a4380b812df71401733b0b37005e82a96f18b07be5317e82f38658b1551c5a |
com.abcd.evpnfree |
https://evpn-e7e0d.firebaseio[.]com |
https://github[.]com/clast82/publick/raw/main/noon.apk |
Music Player |
6f6c16481c0f3a4bd3afcaa9aa881e569c65e067c09efd4ac4828ead29242c95 |
com.revosleap.samplemusicplayers |
https://sample-music-player-default-rtdb.firebaseio[.]com |
Not enabled |
tooltipnatorlibrary |
bbe2e4a68eb2a2589b6b7ba9afefd241f8eb6d8db6fa19fdd4d383311a019567 |
com.mistergrizzlys.docscanpro |
https://docscan-3f3c1-default-rtdb.firebaseio[.]com |
https://github[.]com/skinner222/grace/raw/main/boost.apk |
QRecorder |
4d4f8acda2e9b430d5f3a175dbeee9dfcd07a9f26332b1a0b9e94166b1bc077f |
com.record.callvoicerecorder |
https://qrecordernew-default-rtdb.firebaseio[.]com |
https://github[.]com/clast82/publick/raw/main/brain.apk |