Google reportedly removed six apps infected with Sharkbot bank robber malware from the Google Play store. The apps were downloaded 15,000 times before being kicked out of the store. The six apps were designed to pose as antivirus solutions for Android smartphones and were designed to select targets using a geofencing feature, stealing their login credentials for various websites and services. These infected apps were allegedly used to target users in Italy and the UK.
According to a Check Point Research blog post, six Android apps claiming to be genuine antivirus apps on the Google Play Store have been identified as “droppers” for the Sharkbot malware. Sharkbot is an Android thief that is used to infect devices and steal login credentials and payment details from unsuspecting users. Once a dropper app is installed, it can be used to download a malicious payload and infect a user’s device, evading detection on the Play Store.
The Sharkbot malware used by the six scam antivirus apps also used a ‘geofencing’ feature which is used to target victims in specific regions. According to the Check Point Research team, the Sharkbot malware is designed to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus. The malware would be able to detect when it is running in a sandbox and stop execution and halt to prevent analysis.
Check Point Research identified six apps from three developer accounts – Zbynek Adamcik, Adelmio Pagnotto, and Bingo Like Inc. The team also cites statistics from AppBrain which reveal that the six apps were downloaded a total of 15,000 times before to be deleted. Some of these developers’ apps are still available in third-party marketplaces, although they have been removed from Google Play.
Four malicious apps were discovered on February 25 and reported to Google on March 3. The apps were removed from the Play Store on March 9, according to Check Point Research. Meanwhile, two more Sharkbot dropper apps were discovered on March 15 and March 22 – both were reportedly taken down on March 27.
The researchers also described a total of 22 commands used by the Sharkbot malware, including requesting SMS permissions, downloading Java code and installation files, updating databases and local configurations. , uninstalling apps, collecting contacts, disabling battery optimization (to run in the background), and sending push notifications, listening to notifications. Notably, the Sharkbot malware can also request accessibility permissions, allowing it to view screen content and perform actions on behalf of the user.
According to the Check Point Research team, users can stay safe from malware masquerading as legitimate software by only installing apps from trusted and verified vendors. If users find an app from a new publisher (with few downloads and reviews), it’s best to look for a trusted alternative. Users can also report seemingly suspicious behavior to Google, researchers said.