Google has removed a bunch of malicious VPNs from the Play Store

News
By published

Malicious apps contained a dropper used to spread the AlienBot Banker malware

Phone malware
(Image credit: Shutterstock)

Google has removed nine malicious utility and VPN apps from the Play Store after they were found to contain a malware dropper by Check Point Research.

The cybersecurity firm recently discovered a new dropper spreading via the Google Play Store which it has dubbed Clast82. Unlike other malware droppers, Clast82 has the ability to avoid detection by Google Play Protect, successfully complete Google's evaluation period and change its payload to the AlienBot Banker and MRAT.

The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial apps. An attacker can obtain access to victims' accounts and even completely control their device just as if they were holding it physically.

While Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and Qrecorder have all now been removed from the Google Play Store, if you have any of these apps installed on your devices, you should delete them immediately.

Avoiding detection

During its investigation of the Clast82 dropper, Check Point uncovered the infrastructure used by the threat actor behind it to distribute and maintain the campaign.

For each application, the actor created a new developer user for the Google Play Store along with a repository on their GitHub account which allowed them to distribute different payloads to devices that were infected with each of the malicious apps.

The Clast82 dropper is able to avoid detection during Google's evaluation period due to the fact that the configuration sent from the Firebase C&C server used to control it contains an “enable” parameter. Based on the parameter's value, the malware will then “decide” whether or not to trigger its malicious behavior. This parameter is set to “false” and will only change to “true” after Google has published one of the threat actor's malicious apps on the Play Store.

To prevent falling victim to the AlienBot malware, Check Point recommends that users carefully scrutinize any apps before downloading them and the cybersecurity firm also recommends that users install an Android antivirus app on their smartphones.

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
malware
Google warns of legit VPN apps being used to infect devices with malware
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
mobile phone
Popular Android financial help app is actually dangerous malware
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
China-linked cyberespionage group PlushDaemon used South Korean VPN service to inject malware
In this photo illustration a Google Play logo seen displayed on a smartphone.
Over 2 million risky Android apps were blocked from the Play Store last year
Latest in VPN Privacy & Security
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Neon blue email symbols on a black background
Why am I suddenly getting so many spam emails?
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV
How to use a VPN with Fire Stick
Close up of PS5 DualSense controller leaning on a PS5
5 reasons your PS5 needs a VPN
Latest in News
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Seth Milchick and Kier Eagan's animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
More about vpn privacy security
A stethoscope next to a laptop on a pink background

How to check if your VPN is working
Teenager playing on a gaming PC with two monitors

Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Autonomous SmartDesk 5

I built the Autonomous ErgoChair Ultra 2 in minutes - here's why this exoskeleton-like chair is so good
See more latest
Most Popular
AMD Instinct MI355X Accelerator
AMD signs huge multi-billion dollar deal with Oracle to build a cluster of 30,000 MI355X AI accelerators
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Gemma staring at something off-camera in Severance season 2 episode 10
'Everyone is going to be so torn': Severance star Dichen Lachman reacts to the popular Apple TV+ show's most 'intense' season 2 finale event
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
AMD Ryzen AI
New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited