Applications with the Clast82 code, which downloads the AlienBot and mRAT trojans, have been found on Google Play. As soon as Google learned about the new finding, it removed the infected programs.

As it turned out, the main goal of the Clast82 operators was to load and launch the mRAT spyware or AlienBot banking trojan. The latter not only steals credentials and 2FA codes from clients of financial institutions, but also provides remote access to the Android device.

The code for this loader was identified in the following legitimate opensource applications:

• Cake VPN 

• Pacific VPN 

• eVPN

• BeatPlayer

• QR/Barcode Scanner MAX 

• Music Player 

• tooltipnatorlibrary 

• QRecorder

Source: anti-malware.ru