SharkBot Banking Trojan returns to Google Play Store
SharkBot banking trojan, as we know it, has been targeting Android devices for some time now. What seems to have become a trend was recently identified by Bitdefender when they found a number of malicious apps in the official Google Play store pushing aggressive unwanted ads that could potentially lead to more serious attacks.
This finding was not surprising since, in recent months, malicious apps have started to be distributed directly from the official store, making people inclined to believe that they are safe.
Through its real-time behavioral technology designed to detect software behaving suspiciously, Bitdefender’s research team uncovered apps downloaded from Google Play that acted as droppers for the SharkBot banking trojan shortly after they were installed.
“The Google Play Store is likely to detect a Trojan Banker uploaded to their repository, so criminals resort to more covert methods. One way is with an app, sometimes legitimate with some of the advertised features, that acts as a dropper for more insidious malware.”
The apps that Bitdefender found were disguised as file managers, allowing them to easily request and obtain user permission to install external packages. What adds to their disguise and allows them to avoid detection is that the malicious behavior is enabled for a limited group of users and Google Play apps only need the functionality of a file manager to install another app.
One of the identified apps is called X-File Manager which installs SharkBot samples with the label _File Manager, tricking the user into thinking that an update for the app needs to be installed before it can be used.
What is interesting in this case is that they target users based on their location, and most of the users who have downloaded the apps are either primarily from the UK or Italy. Furthermore, the developer profile on Google Play is also only visible to users from Italy or the UK. The page cannot be opened without specifying the country code.
Bitdefender’s technical write-up also revealed that the application performed anti-emulator checks and targeted users from the UK and Italy by verifying whether the SIM ISO matched IT or GB. It also checks if one of the targeted banking applications is installed on the user’s device.
The app has been removed from Google Play at the time of writing, but is available on other websites. Similar malicious apps identified by Bitdefender include FileVoyager and LiteCleaner M.
- SandStrike Spyware Infects Android devices through VPN apps
- VirusTotal reveals apps most exploited by hackers to spread malware
- New Dropper apps in Play Store targeting banking and crypto wallets
- Fake antivirus apps on Play Store loaded with SharkBot Banking Trojan
- Malicious security app on Play Store caught dropping SharkBot malware