Google removes 6 apps posing as antivirus apps used to infect phones with Sharkbot malware.



Google has reportedly removed six apps from the Google Play Store that were infected with the Sharkbot bank-robbery malware. The apps were downloaded 15,000 times before being banned from the store. All six apps are designed to act as antivirus solutions for Android smartphones and are designed to use geofencing to select targets and steal their credentials to various websites and services. The infected apps were reportedly used to target users in Italy and the United Kingdom.

According to a blog post from Check Point Research, six Android apps posing as genuine antivirus apps on the Google Play Store have been identified as "droppers" of the Sharkbot malware. Sharkbot is an Android stealer used to infect devices and steal credentials and payment details from unsuspecting users. After installing the eyedropper app,

It can be used to download malicious payloads and infect users' devices, evading detection by the Play Store.

The Sharkbot malware used by six rogue antivirus apps also employs a "geo-fencing" feature designed to target victims in specific areas. According to the Check Point research team, the Sharkbot malware is designed to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus. The malware is reportedly able to detect when it is running in a sandbox and will stop execution and shut down to prevent analysis.

Check Point Research identified six applications from three developer accounts - Zbynek Adamcik, Adelmio Pagnoto and Bingo Like Inc. The team also cited AppBrain statistics showing that the six apps were downloaded a total of 15,000 times before being removed. Despite being removed by Google, some of these developers' apps are still available on third-party marketplaces

Four malicious apps were discovered on February 25 and reported to Google on March 3. According to Check Point Research, the apps were removed from the Play Store on March 9. Meanwhile, two more Sharkbot dropper apps were discovered on March 15 and 22 — both of which were reportedly removed on March 27.


The researchers also outlined a total of 22 commands used by the Sharkbot malware, including requesting SMS permissions, downloading Java code and installation files, updating local databases and configurations, uninstalling applications, collecting contacts, and disabling battery optimization (which runs in the background). And send push notifications, listen to notifications. Notably, the Sharkbot malware can also request access permissions that allow it to view screen content and perform actions on behalf of the user.

Post a Comment

0 Comments