Malicious VPNs Discovered on Google Play Store

Man using VPN on mobile

Google has removed 3 malicious VPNs and other malicious apps from its Play Store because they contained a previously unknown dropper. The dropper spreads the banking trojan AlienBot Banker and MRAT to access victims’ accounts and take control of their devices.

The Malicious VPNs

Google recently removed 3 VPNs from the Play Store after they were found to contain a malware dropper. The removed malicious VPNs are Cake VPN, Pacific VPN and eVPN, all Android VPNs.

Furthermore, 6 utility apps were discovered that contained the dropper and were thus also removed from the Play Store. These apps were BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and Qrecorder.

Researchers from the cybersecurity firm Check Point Research discovered the previously unknown dropper, nicknamed Clast82, on 27 January. They informed Google the next day. By 9 February, Google confirmed that the malicious apps had been removed from the Play Store.

The researchers stated in a report published yesterday that the malicious apps seemed to have been developed by one cybercriminal. The above-mentioned 9 apps have been downloaded approximately 15,000 times.

The Dropper’s Aim

Clast82 dropper’s aim is to deliver the AlienBot Banker trojan via various VPN, QR code scanner and music player apps. AlienBot is a banking trojan for Android devices from the Malware-as-a-Service (MaaS) family. Usually, this trojan is used by cybercriminals to inject malicious code into genuine financial applications to gain access to victims’ bank accounts. Once access has been gained, attackers steal victims’ funds and financial data.

However, in this instance, AlienBot was used to load malware into newly created malicious apps that are based on legitimate utility apps. Rather than in pre-existing financial apps. For example, Check Point discovered that the malicious Cake VPN app is based on the open-source Cake mobile web browser. This browser for mobiles comes with a built-in VPN to help protect customer’s privacy.

Full Control of Compromised Device

Once activated, AlienBot loads a Mobile Remote Access Trojan (MRAT), a piece of malware used to remotely control victims’ mobile devices. With MRATs, attackers can fully control compromised devices and even intercept two-factor authentication codes sent to them from various genuine applications.

“Upon taking control of a device, the attacker has the ability to control certain functions, just as if they were holding the device physically, like installing a new application on the device, or even control it with TeamViewer,” a Check Point Research blog states.

Clast82 Avoids Play Store Protect

Check Point researchers discovered that the cybercriminal behind the malicious VPN apps used legitimate readily available third-party resources in the campaign. The hacker used Google’s own Firebase platform for Command-and-Control (C2) communications. And GitHub as the repository for the malicious apps’ payloads.

To avoid detection from Google Play Protect the cybercriminal used two techniques.

Enable Parameter

Firstly, the cybercriminal disabled Clast82 dropper’s malicious behavior during Google’s application evaluation period. The dropper was designed with an “enable” parameter that allows it to determine when to deliver its malicious payload. When the malicious apps were first loaded onto the Play Store, the apps contained a non-malicious payload. And the dropper’s parameter was set to “false”.

Once Google’s evaluation period was over and Google published the apps, the dropper’s parameter was set to “true”. This triggered a message to be sent via Firebase to download the malicious payload, the AlienBot Banker trojan, from GitHub. Then, the non-malicious payload was swapped out for the malicious one.

Multiple Developer Users

Secondly, the bad actor created a new Google Play developer user for each malicious app. This allowed the cybercriminal to distribute different payloads to a compromised device, depending on the malicious app(s) the victim installed.

AlienBot, and subsequently MRAT, are distributed when victims download the app onto their devices and install it. Furthermore, if the option to install apps from unknown sources was turned off on a device, Clast82 repeatedly urged the user with what appeared to be a legitimate Google Play Services prompt to enable the permission.

Researchers’ Recommendations

To avoid falling victim to AlienBot in malicious VPN or other apps, Check Point recommends that users install an Android antivirus application on their devices.

“The dropper’s ability to remain undetected demonstrates the importance of why users should install a mobile security solution on their device. It is not enough to just scan the app during the evaluation period, as a malicious actor can, and will, change the application’s behavior using readily available third-party tools,” Aviran Hazum, manager of mobile research at Check Point warned.

In such situations, only a solution that constantly monitors a device for abnormal behavior would be able to protect against such malicious apps.

Some Android VPNs, such as Surfshark VPN, provide some protection against malware. However, for the best protection possible, it is best to install a piece of dedicated antivirus software. As well as using a VPN to ensure safe internet browsing and privacy.

Information technology expert
Grace is an information technology expert who joined the VPNoverview team in 2019, writing cybersecurity and internet privacy-based news articles. Due to her IT background in legal firms, these subjects have always been of great interest to her.