Google has reportedly removed six apps infected with the Sharkbot bank stealer malware from the Google Play store. The apps were downloaded 15,000 times before they were ejected from the store. All six apps were designed to pose as antivirus solutions for Android smartphones and were designed to select targets using a geofencing feature, stealing their login credentials for various websites and services. These infected applications were reportedly used to target users in Italy and the United Kingdom.
According to a blog post by Check Point Research, six Android applications pretending to be genuine antivirus apps on the Google Play store were identified as “droppers” for the Sharkbot malware. Sharkbot is an Android Stealer that is used to infect devices and steal login credentials and payment details from unsuspecting users. After a dropper application is installed, it can be used to download a malicious payload and infect a user’s device — evading detection from on the Play Store.
The Sharkbot malware used by the six fraudulent antivirus applications also used a ‘geofencing’ feature that is used to target victims in specific regions. According to the team at Check Point Research, the Sharkbot malware is designed to identify and ignore users from China, India, Romania, Russia, Ukraine, or Belarus. The malware is reportedly capable of detecting when it is being run in a sandbox and stops execution and shuts down to prevent analysis.
Check Point Research identified six applications from three developer accounts — Zbynek Adamcik, Adelmio Pagnotto, and Bingo Like Inc. The team also cites statistics from AppBrain that reveals that the six applications were downloaded a total of 15,000 times before they were removed. Some of the applications from these developers are still available in third party markets, despite having been removed from Google Play.
Four malicious apps were discovered on February 25 and reported to Google on March 3. The applications were removed from the Play Store on March 9, according to Check Point Research. Meanwhile, two more Sharkbot dropper apps were discovered on March 15 and March 22 — both were reportedly removed on March 27.
The researchers also outlined a total of 22 commands used by the Sharkbot malware, including requesting permissions for SMS, downloading java code and installation files, updating local databases and configurations, uninstalling applications, harvesting contacts, disabling battery optimisation (to run in the background), and sending push notifications, listening for notifications. Notably, the Sharkbot malware can also ask for accessibility permissions, allowing it to see the contents of the screen and perform actions on the user’s behalf.
According to the team at Check Point Research, users can stay safe from malware masquerading as legitimate software by only installing applications from trusted and verified publishers. If users find an application by a new publisher (with few downloads and reviews), it is better to look for a trusted alternative. Users can also report seemingly suspicious behaviour to Google, according to the researchers.