SharkBot is a relatively new, and dangerous, bit of malware. It’s a banking trojan, first spotted towards the end of October 2021 by researchers from Cleafy. It exists to make money transfers from any compromised user, stealing credentials and banking information and having the capacity to bypass multi-factor authentication. New research reveals a total of six Android security apps, all of which had been available within the official Google Play store, were being used to distribute this nasty malware.
SharkBot takes a bite at Android antivirus app users
As reported by Bleeping Computer in March, NCC Group security researchers were the first to uncover a supposed antivirus app in the official Google Play store that was spreading the SharkBot trojan. The ‘Antivirus, Super Cleaner’ was permanently removed by Google soon after the NCC Group report was published. Now Check Point researchers have revealed that they found no less than six such infected apps, all posing as legitimate antivirus solutions for Android users.
Unmasking the Android antivirus app imposters
As well as the previously mentioned app, the list included: ‘Atom Clean-Booster, Antivirus,’ ‘Alpha Antivirus, Cleaner,’ ‘Powerful Cleaner, Antivirus,’ and two called ‘Center Security – Antivirus.’ After responsibly disclosing details of these to Google, all of them were permanently removed between March 3 and March 27. If you are among the thousands who downloaded any of these apps, and still have them installed on your Android devices, then you are advised to delete them immediately and check your bank statements for any unusual activity. Changing your banking passwords is also highly recommended.
“It is obviously very dangerous”
“This malware steals credentials and banking information. It is obviously very dangerous. Looking at the install count we can assume that the threat actor hit the bullseye for their method of malware spread. The threat actor strategically chose a location of applications on Google Play that have users’ trust.” Alexander Chailytko, the cybersecurity, research and innovation manager at Check Point Software, said.
Chailytko also pointed out that the fact the threat actors were using ‘push messages’ to victims that contained malicious links was both unusual and ensured widespread adoption.
“The use of push-messages by the threat actors requesting an answer from users is an unusual spreading technique,” Chailytko continued, “I think it’s important for all Android users to know that they should think twice before downloading any anti-virus solution from the Play Store. It could be SharkBot.”
Check Point Research has published a full and detailed technical analysis of the SharkBot campaign.
What does Google have to say about the SharkBot apps?
I reached out and asked how these apps were able to evade detection and make it into the Google Play store, to which a Google spokesperson provided the following statement: “We appreciate the work of the research community, and when we find apps that violate our policies, we take action.” Google did confirm that all of the apps in question have been removed.