A handful of malware-filled Android apps were, once again, taken out of the Google Play Store, all taking advantage of the latest trend in malware design: masquerading as innocent clones of useful apps to overcome an original Google search, and transform into crappy malware once people started downloading and using them.
The good news? Apparently these apps did not have a ton of downloads. Thousands, at best, rather than millions, so odds are pretty high that you haven’t heard of any of the affected apps. Whoever was to blame for the attack, however, they all set up under different developers, so it’s not uncommon to watch.
Apart from the app names, which we will list in a second, the only other unifying features are that the attacker used the same developer email for each one – “sbarkas77590 @ gmail. com ”- and all apps link to the same online privacy page (“ https://gohhas.github.io, ”followed by the app name).
If any of these apps are still installed on your Android, it’s time to ditch:
- VPN cake
- Pacific VPN
- eVPN
- BeatPlayer
- QR / Barcode MAX scanner
- Music player
- tooltipnatorlibrary
- QRecorder
While you can’t directly track the name of an app developer on your smartphone, or your contact information or privacy policy, you can can tap through to see if that app even exists on the Google Play Store anymore. On my Pixel, that’s so easy to go Settings> Apps & notifications> See All [number] apps> [app name] > Advanced> App Details. That takes you to Google’s online listing for the app. If it doesn’t exist, and it said an app shares the same name as one of the ones I listed, you’ve installed malware.
G / O Media may receive a commission
As for how malware works, Point to Point Study he has a great writing:
Check Point Research (CPR) recently discovered a new Dropper rollout through the official Google Play store, which downloads and installs AlienBot Banker and MRAT.
This Dropper, called Clast82, uses a series of methods to avoid detection by Google Play Protect detection, successfully completing the evaluation period, and modifying the payment burden dropped from responsibility non-confidential payments to AlienBot Banker and MRAT.
The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at the first step, to insert malicious code into legitimate financial applications. The attacker gains access to victims ’accounts, and eventually takes control of their device. By taking control of a device, the attacker has the ability to control certain tasks just as if he were physically holding the device, such as installing a new application on the device, or even controlled by TeamViewer.
While odds are low, if you installed any of these shady apps on your device, I recommend catching Malwarebytes and giving yourself a good deal (free of charge) scan. While you’re at it, change the password for any financial accounts associated with apps you’ve installed on your Android. If Malwarebytes doesn’t find anything on your device, you have two options: turn it off and hope for the best, or have an extra security and factory-reset your device, resetting its device -everything from the very beginning.
I’m not sure which option I would go with, and I couldn’t find much information about removing AlienBot or MRAT. You can consider installing one or two of the other scanning apps to see if they pick up anything (F-secure, or even Avast), and if everyone agreed that nothing was wrong, you could pretend to be – after a three-part confirmation through what has been mentioned “Apps & notifications” screen> App access there were no weird named apps that were getting admin permission on your device.
