Sharkbot Bank has reportedly removed six apps infected with the stolen malware from the Google Play Store. The app was downloaded 15,000 times before it was released from the store. All six apps were designed to pose as antivirus solutions for Android smartphones and to target targets using a geofencing feature by stealing their login credentials for various websites and services. These infected applications were reportedly used to target users in Italy and the United Kingdom.
According to a CheckPoint Research blog post, six Android apps have been identified as “droppers” for sharkbot malware, pretending to be genuine antivirus apps in the Google Play Store. Sharkbot is an Android Stealer used to infect devices and steal login credentials and payment details from suspicious users. After installing a dropper application, it can be used to download a malicious payload and infect the user’s device – avoiding detection from the Play Store.
The sharkbot malware used by six fraudulent antivirus applications also used a ‘geofencing’ feature to target victims in certain areas. According to the Checkpoint Research team, the sharkbot malware is designed to identify and ignore users in China, India, Romania, Russia, Ukraine or Belarus. The malware is known to be able to detect when it is running in the sandbox and it stops executing and stops analyzing.
Checkpoint Research has identified six applications from three developer accounts – Zbynek Adamcik, Adelmio Pagnotto, and Bingo Like Inc. The team also cites statistics from AppBrain, which reveals that a total of 15,000 downloads were made before the six applications were removed. Despite being removed from Google Play, some applications from these developers are still available in third party markets.
Four malicious apps were discovered on February 25 and reported to Google on March 3. Apps were removed from the Play Store on March 9, according to Checkpoint Research. Meanwhile, two more Sharkbot dropper apps were discovered on March 15 and March 22 – both were reportedly removed on March 27.
The researchers outlined a total of 22 commands used by sharkbot malware, including requesting permission for SMS, downloading Java code and installation files, updating local databases and configurations, uninstalling applications, collecting contacts, disabling battery optimization. , And send push notifications, listen to notifications. Significantly, the sharkbot malware can also ask for accessibility permissions, allowing it to view the contents of the screen and perform actions on behalf of the user.
According to the Checkpoint Research team, users can only be protected from malware masquerading as legitimate software by installing applications from trusted and verified publishers. If users find an application from a new publisher (with a few downloads and reviews), it’s best to look for a trusted alternative. According to researchers, users can report seemingly suspicious behavior to Google.