Malicious applications possing as anti-virus apps on Google Play Store
In a shocking incident, Check Point Research (CPR) found some six applications posing as anti-virus apps on Google Play Store were actually spreading banking malware. This banking malware is notorious for stealing the credentials and banking information of Andriod users.
Banking malware Sharkbot
CPR during its investigation discovered that Sharkbot is a notorious banking malware that had infected over 1,000 unique IP addresses of devices, mostly in the UK and Italy. However, the malicious applications were downloaded more than 11,000 times as per Google Play Store statistics.
Sharkbot lures its victims through push notifications and by tricking users into entering credentials in windows that mimic input forms. When the user enters their credentials in these windows, the compromised data is sent to a malicious server.
Russian threat actors
CPR learned that the malware authors implemented a geofencing feature, which ignores device users in China, India, Romania, Russia, Ukraine or Belarus.
CPR suspected the threat actors are Russian speaking and warns Android users worldwide to think twice before downloading anti-virus apps or solutions from Play Store.
- Among the victims, 62% were in Italy, 36% in the UK, 2% in other countries
- Threat actors implemented geo-fencing feature, which ignores device users in China, India, Romania, Russia, Ukraine and Belarus
- CPR responsibly disclosed findings to Google, who removed the malicious applications
Six malicious applications possing as ‘anti-virus apps’
Four of the applications came from three developer accounts, Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc. When CPR checked the history of these accounts, they saw that two of them were active in the fall of 2021.
Google Play removed some of the applications linked to these accounts but they still exist in unofficial markets. This could mean that the actor behind the applications is trying to stay under the radar while still involved in malicious activity.
“We discovered six applications on Google’s Play Store that were spreading Sharkbot malware. This malware steals credentials and banking information. It is obviously very dangerous,” said Alexander Chailytko, Cyber Security, Research and Innovation Manager – Check Point Software.
“Looking at the install count we can assume that the threat actor hit the bulls-eye for their method of malware spread. The threat actor strategically chose a location of applications on Google Play that have users’ trust,” added Chailytko.
“What’s also noteworthy here is that the threat actors push messages to victims containing malicious links, which leads to widespread adoption. All in all, the use of push messages by the threat actors requesting an answer from users is an unusual spreading technique,” explained Chailytko.
“I think it’s important for all Android users to know that they should think twice before downloading any anti-virus solution from the Play Store. It could be Sharkbot,” concluded Chailytko.
(Image source – Check Point Software)