Security researchers at Bitdefender found four new malicious apps on the Play Store that infect Android devices with SharkBot banking malware. These apps don’t carry malicious payload upon installation, thus evading the Play Store scans. But fetching it later from a remote resource after installation. Since the malicious apps are file managers, therefore are less likely to raise suspicions when requesting dangerous permissions for loading the SharkBot malware.
What is SharkBot?
First discovered by Bitdefender, SharkBot is a dangerous malware which steals online banking credentials. These apps display a fake login page before legitimate banking sites. Therefore, when a user tries to log in to their bank using one of these fake forms, threat actors then steal their banking credentials.
Bitdefender’s researchers found these apps and reported them to Google. Google acted quickly and removed these apps from the Play Store. But these apps have been evolving and have appeared on the play store under various guises or loaded from trojan apps.
Which apps are infected?
One of these apps, known as ‘X-File Manager’ by Victor Soft Ice LLC, performs anti-emulation checks to evade detection. As part of their target campaign, these apps install the malware only on Great British or Italian SIMs.
Bitdefender noted that most victims of the particular SharkBot distribution wave are in the United Kingdom, followed by Italy, Iran, and Germany. The app requests risky permissions like reading and writing external storage, installing new packages, accessing account details, and deleting packages. However, users are likely to give these permissions to a file manager. The X-File Manager prompts the user to approve a fake program update, which installs the malware.
Another app infected with this malware is ‘FileVoyager’ by Julia Soft Io LLC. This app has the same operational pattern as X-File Manager and targets the same financial institutions in Italy and the UK.
Some other apps with the Sharkbot malware include the ‘LiteCleaner M’, and ‘Phone AID, Cleaner, Booster 2.6’. Currently, these apps are only available via third-party app stores like APKSOS.
How to Stay Protected from these Apps?
One of the easiest ways to stay away from these malicious apps is by reading the reviews. But since reviews can be fake, users should also look for external reviews on other sites and video reviews. Another way to stay protected is by enabling Google Play Protect on all devices as it scans your apps for malware in the background. For added protection, users can also install antivirus software apps too.