Nine applications on Google Playstore are distributing malware dropper

March 15, 2021
google playstore play protect malware dropper Clast82 mobile app monitoring

Google Playstore is Google’s Official digital distribution service of Android applications. Initially, it was referred to as the Android Market and is one of the most trusted platforms used by millions of android users worldwide. Google Playstore offers various mobile applications with almost 2.9 million applications available for download and is continuously increasing with an estimate of 3739 new applications added daily.

Google Playstore has a Google Play Protect feature that helps android users to be protected against harmful applications. It can run a safety check on the applications on Playstore before you download it and periodically scan your device for any potentially dangerous applications that might contain malware. Google Play Protect also notifies the mobile user if there are any security risks found on the devices.

Recently, a new malware called Clast82 avoided the detection of Google Play Protect by using several techniques. Cybersecurity researchers found out that there are nine android applications, namely Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder offered in Google Playstore that contains the new malware dropper with the capability to gain access to victims’ financial information and complete access control on the infected mobile device.


How did Clast82 evade the security of Google Play Protect?

The threat actor behind the new malware dropper uses legitimate and known open-source android applications such as Firebase, a Backend-as-a-Server (BaaS) platform that includes C&C Communication and Github for the payload repository. The code configuration from the Firebase C&C contains an enable parameter set to “false” for the period of Google’s evaluation. After the application is published on Google Playstore, the parameter will be set to “true” and uses Github, third party hosting platform, to download the malicious payload.


Google Playstore Clast82 Malware Dropper image 1


Google Playstore Clast82 Malware Dropper image 2


The threat actor of Clast82 dropper creates a new fake developer user account for Google Playstore and Github that contains the repository of the several payloads that can be delivered into the infected application.

The dropped payload from the Clast82 application consists of AlienBot Banker (Malware-as-a-Service (MaaS)) and MRAT. Suppose the device blocks the installation of the malicious payload from unfamiliar sources. In that case, Clast82 will send a fake request imitating “Google Play Services” asking permission to allow the installation of the application for every 5 seconds.


Google Playstore Clast82 Malware Dropper image 3


After successfully installing the payloads, it can provide remote access to the threat actor and inject malicious codes into legitimate financial applications to steal account credentials and two-factor authentication codes. It can also completely control the device using TeamViewer and install new applications.

The Clast82 applications were initially discovered on January 27th and reported to Google on January 28th.


On February 9th, Google validated that all the Clast82 applications have been removed from Google Playstore.


Every year, smartphone users’ growth continuously rises, and threat actors see it as an opportunity to develop and create a new malware capable of performing malicious activities on smartphones. Providing additional security measures on mobile phones are necessary as mobile malware is continuously increasing as an avenue of a cybercrime attack.

About the author

Leave a Reply