Skip to main content

Google has removed a bunch of malicious VPNs from the Play Store

Phone malware
(Image credit: Shutterstock)

Google has removed nine malicious utility and VPN apps from the Play Store after they were found to contain a malware dropper by Check Point Research.

The cybersecurity firm recently discovered a new dropper spreading via the Google Play Store which it has dubbed Clast82. Unlike other malware droppers, Clast82 has the ability to avoid detection by Google Play Protect, successfully complete Google's evaluation period and change its payload to the AlienBot Banker and MRAT.

The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial apps. An attacker can obtain access to victims' accounts and even completely control their device just as if they were holding it physically.

While Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and Qrecorder have all now been removed from the Google Play Store, if you have any of these apps installed on your devices, you should delete them immediately.

Avoiding detection

During its investigation of the Clast82 dropper, Check Point uncovered the infrastructure used by the threat actor behind it to distribute and maintain the campaign.

For each application, the actor created a new developer user for the Google Play Store along with a repository on their GitHub account which allowed them to distribute different payloads to devices that were infected with each of the malicious apps.

The Clast82 dropper is able to avoid detection during Google's evaluation period due to the fact that the configuration sent from the Firebase C&C server used to control it contains an “enable” parameter. Based on the parameter's value, the malware will then “decide” whether or not to trigger its malicious behavior. This parameter is set to “false” and will only change to “true” after Google has published one of the threat actor's malicious apps on the Play Store.

To prevent falling victim to the AlienBot malware, Check Point recommends that users carefully scrutinize any apps before downloading them and the cybersecurity firm also recommends that users install an Android antivirus app on their smartphones.

Anthony Spadafora

After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal and TechRadar. He has been a tech enthusiast for as long as he can remember and has spent countless hours researching and tinkering with PCs, mobile phones and game consoles.