The AlienBot Malware is a threat offered for purchase through a Malware-as-a-Service (MaaS) model. The AlienBot Malware is capable of injecting corrupted code into legitimate baking and payment applications. Its range of threatening functionality foes further as the threat also allows remote attackers to take over the infected device completely. The hackers can harvest account credentials, install arbitrary applications, or even control the machine with TeamViewer.
The capabilities of the AlienBot Malware as a late-stage payload were on full display in a recent attack campaign that managed to infiltrate the official Google Play store with nine weaponized applications. The hackers relied on a never-before-seen malware dropper called Clast82 to bypass the security measures of Google's mobile store. The threatening applications were based on legitimate open-source applications that were modified to include the Clast82 code. The nine identified applications that breached the Google Play store are:
- Cake VPN,
- eVPN (two different versions),
- Music Player,
- Pacific VPN,
- QR/Barcode Scanner MAX,
After being notified about the attack campaign, Google removed all of the threatening applications promptly. Users who have one of them installed are still at risk and should use a professional anti-malware solution to clean their Android device.