Google has removed six apps infected with Sharkbot, the bank stealer malware, from its app store, reports said. The apps had been downloaded 15,000 times before their removal.
All six apps were designed to pose as antivirus solutions and to select targets using a geofencing feature. The apps stole users’ login credentials for websites and services. The infected applications were used to target users in Italy and the UK, the reports suggest.
Check Point Research said in a blog post that the six Android applications pretending to be antivirus apps on the Google Play store were marked as “droppers” for Sharkbot.
The malware is an Android Stealer used to infect devices and steal login credentials and payment details. Once a dropper application is installed, it is used to download a malicious payload and infect a device — evading detection.
Researchers discovered six different applications—including ones named Atom Clean-Booster, Antivirus; Antvirus Super Cleaner; and Center Security-Antivirus—spreading Sharkbot.
The apps came from three developer accounts–Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc.—at least two of which were active in the autumn of last year. The timeline makes sense, as Sharkbot first came onto researchers’ radar screens in November.
“Some of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets,” researchers wrote. “This could mean that the actor behind the applications is trying to stay under the radar while still involved in malicious activity.”
Google removed the offending applications, but not before they were downloaded and installed about 15,000 times, researchers said. Primary targets of Sharkbot are users in the United Kingdom and Italy, as was previously the case, they said.
What Is Sharkbot Malware?
Sharkbot is a type of malware that collects users’ passwords and banking information. Sharkbot malware entices victims to enter their login credentials into windows that look like legitimate credential entry forms. When a user enters all credentials, the data is hacked and transferred to a hostile server.
What is more interesting is, Sharkbot malware doesn’t go after every prospective victim it comes across, but rather a subset of them. It uses the geofencing feature to identify and ignore Android smartphone users from China, India, Romania, Russia, Ukraine, or Belarus.
Timeline of Activity
Researchers first discovered four applications of the Sharkbot Dropper on Google Play on Feb. 25 and shortly thereafter reported their findings to Google on March 3. Google removed the applications on March 9 but then another Sharkbot dropper was discovered six days later, on March 15.
CPR reported the third dropper discovered immediately and then found two more Sharkbot droppers on March 22 and March 27 that they also reported quickly to Google for removal.
The droppers by which Sharkbot spreads in and of themselves should raise concern, researchers said. “As we can judge by the functionality of the droppers, their possibilities clearly pose a threat by themselves, beyond just dropping the malware,” they wrote in the report.
Specifically, researchers found the Sharkbot dropper masquerading as the following applications on Google Play;
