Check Your Android for These AlienBot and MRAT Apps in Disguise

Bill Mount

A handful of malware-filled Android apps has, once again, been removed from the Google Play Store, and they were all taking advantage of the latest trend in malware design: masquerading as innocent clones of useful apps to escape initial detection by Google, and transforming into crappy malware once people started […]

A handful of malware-filled Android apps has, once again, been removed from the Google Play Store, and they were all taking advantage of the latest trend in malware design: masquerading as innocent clones of useful apps to escape initial detection by Google, and transforming into crappy malware once people started downloading and using them.

The good news? The apps in question didn’t appear to have a ton of downloads. Thousands, at best, rather than millions, so odds are pretty high that you haven’t heard of any of the affected apps. Whoever was responsible for the attack, however, set them all up under different developers, so there’s no commonality there to look for.

Aside from the app names, which we’ll list in a second, the only other unifying characteristics are that the attacker used the same developer email for each—“[email protected]”—and all the apps link to the same privacy page online (“https://gohhas.github.io,” followed by the name of the app).

If you have any of these apps still installed on your Android, it’s time to ditch them:

  • Cake VPN
  • Pacific VPN
  • eVPN
  • BeatPlayer
  • QR/Barcode Scanner MAX
  • Music Player
  • tooltipnatorlibrary
  • QRecorder

While you can’t check for the name of an app’s developer directly on your smartphone, nor its contact information or privacy policy, you can tap through to see if said app even exists on the Google Play Store any more. On my Pixel, that’s as easy as going to Settings > Apps & notifications > See all [number] apps > [app name] > Advanced > App details. That’ll warp you to Google’s online listing for the app. If it doesn’t exist, and said app shares the same name as one of the ones I just listed, you’ve installed malware.

Illustration for article titled Check Your Android for Malware Clones of These Useful Apps

Screenshot: David Murphy

As for how said malware works, Check Point Research has a great write-up:

Check Point Research (CPR) recently discovered a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT.

This Dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT.

The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device. Upon taking control of a device, the attacker has the ability to control certain functions just as if he was holding the device physically, like installing a new application on the device, or even control it with TeamViewer.

Though odds are low, if you installed any of these shady apps on your device, I recommend grabbing Malwarebytes and giving yourself a good (free) scan. While you’re at it, change the password for any financial accounts related to apps you’ve installed on your Android. If Malwarebytes doesn’t find anything on your device, you have two choices: tough it out and hope for the best, or be extra security-minded and factory-reset your device, reinstalling everything from scratch.

I’m not sure which option I’d go with, and I haven’t been able to find much information about AlienBot or MRAT removal. You can consider installing one or two other scanning apps to see if they pick up anything (F-Secure, or even Avast), and if everyone was in agreement that there was nothing wrong, you could let it be—after triple-confirming via the aforementioned “Apps & notifications” screen > Special app access that there weren’t any weirdly named apps enjoying administrative permissions on your device.

undefined

Screenshot: David Murphy

Next Post

Twitter tests full-size images previews in your feed on iOS and Android

The next time you’re browsing through your Twitter timeline on your phone, you may notice a small but impactful change to how the service handles images. With a small subset of iOS and Android users, Twitter has started testing full-sized picture previews, allowing users to see timeline images in their […]