Clast82

A new threatening campaign having Android users as targets has been uncovered by infosec researchers. The operation involves the distribution of malware payloads through nine threatening applications that were able to bypass the security measures of the Google Play Store. To achieve this, the threat actors employed a brand new malware dropper named Clast82.

According to the findings of the security analysts, Clast82 was injected into known legitimate open-source applications. A total of nine such applications were able to penetrate Google's mobile store - BeatPlayer, Cake VPN, eVPN (two different versions), Music Player, Pacific VPN, QR/Barcode Scanner MAX, QRecorder, and tooltipnattorlibrary. Each weaponized application had its own code repository on GitHub, as well as a new developer user for the Google Play store. Evidence suggests that a single threat actor is behind the operation - all of the fake developer accounts used the same email address while the Policy page was not only identical for each application but it also pointed to the same GitHub repository.

Clast82 Attack Chain

The Clast82 dropper played an essential part in the attack campaign. The malware threat determines whether to trigger its threatening behavior based on a specific parameter received during the evaluation period for the Google Play Store. This parameter is set to 'false' by default and will only turn to 'true' after the Clast82-carrying application has been published on the store.

Once users have downloaded one of the threatening applications, Clast82 will activate a service responsible for fetching the next-stage payload. The dropper bypasses Android's requirement of showing an ongoing notification for its action by displaying what is called a 'neutral' notification. For example, the user will be presented with a message that simply states 'GooglePlayServices' without any additional details. If the compromised device is set to block any application installations from unknown sources, Clast82 will begin to pester the user with fake requests designed to appear as if they are coming from Google Play Services. The intrusive prompts will be generated every five seconds.

On most of the infected devices, Clast82 deployed an infostealer malware called AlienBot. This particular threat is available for purchase as a malware-as-a-service (MaaS) and it enables attackers to inject code into legitimate banking applications. The goal is to collect payment information such as bank credentials or credit/debit card details. In a couple of instances, however, the attack on the compromised devices was escalated by dropping MRAT, a data-harvesting malware tool that was first detected back in 2014 when it was used against Hong Kong protestors.

After being notified about the attack campaign, Google has taken down all of the Clast82 fake applications available on the Play store.