Researchers have spotted malicious apps on the Google Play Store pretending to be antivirus solutions. These malicious apps are laden with the SharkBot trojan that attempts to compromise Android devices.
SharkBot is an information stealer used for stealing credentials and banking information from the victims.
SharkBot’s antivirus campaign
- The trojan uses DGA and once installed, it fools victims into entering their credentials in small windows that appear to be common input forms.
- It abuses Android’s Accessibility Service to show fake overlay windows on top of legitimate banking apps.
- Further, it has the ability to auto-reply to notifications from Facebook Messenger and WhatsApp to spread links to fake antivirus apps.
Additionally, the trojan checks if it is running in a sandbox to stop being analyzed, and uses a geofencing feature to avoid targeting devices from India, China, Russia, Ukraine, Belarus, and Romania.
The malicious apps
Researchers have spotted a total of six different apps spreading SharkBot. These apps came from three developer accounts, named Adelmio Pagnotto, Bingo Like, and Zbynek Adamcik.
- By checking the history of these accounts, it was found that two of them were active in the fall of 2021. Some apps linked to these accounts were removed except in unofficial markets.
- These malicious apps were downloaded more than 15,000 times before Google removed them from the Play Store. Most of the victims were found in Italy and the U.K.
Conclusion
Every other day, cybercriminals are found invading the Google Play Store and similar platforms to spread their agenda, in this case, its SharkBot banking trojan. Thus, install apps only from trusted/verified publishers and report any suspicious apps to the store. Always monitor the behavior and ask permission after installing the app on devices.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_226388362.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/9a35_shutterstock_2038946582.jpg)
