- Check Point Research (CPR) found anti-virus apps on the Google Play store disguised as legitimate which downloaded and installed android malware
- At least six different apps with over 15,000 total downloads were spreading the malware, which were consequently all taken down from the Google Play store after CPR’s disclosure
- Dubbed “Sharkbot” the malware steals credentials and banking information
When searching for an anti-virus (AV) solution to protect your mobile, the last thing one would expect is for it to make your device vulnerable to malware. This is what the CPR team encountered while analyzing suspicious applications found on the Google Play store. These applications were disguised as genuine AV solutions, but in reality, users downloaded and installed an android stealer called ‘Sharkbot’.
Sharkbot steals credentials and banking information. This malware implements a geofencing feature and evasion techniques, which makes it stand out from the rest of malwares. It also makes use of something called domain generation algorithm (DGA), an aspect rarely used in the world of Android malware.
CPR identified approximately 1000 unique IP addresses of infected devices during the time of analysis. Most of the victims were from Italy and the UK as per the chart below.
Sharkbot lures victims to enter their credentials in windows that mimics benign credential input forms. When the user enters credentials in these windows, the compromised data is sent to a malicious server. Sharkbot doesn’t target every potential victim it encounters, but only select ones, using the geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus.
Disguised as Legitimate Anti-Virus Apps on Google Play Store
CPR researchers spotted a total of six different applications in the Google Play store that were spreading Sharkbot.
Four applications came from three developer accounts, Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc. When CPR checked the history of these accounts, we saw that two of them were active in the fall of 2021. Some of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets. This could mean that the threat actor behind these applications is trying to stay under the radar, while still involved in malicious activity. Overall, we saw over 15,000 downloads of these apps from Google Play.
Applications found on Google Play store
Responsible Disclosure to Google
Immediately after identifying these applications that spread Sharkbot, CPR reported these finding to Google. Quickly after examining the apps, Google proceeded to permanently remove these applications on Google Play store.
On the same day CPR reported the finding to Google, the NCC group published a separate research about Sharkbot, mentioning one of the malicious apps.
Beware of Malicious Apps
Threat actors are evolving and constantly seeking ways to inject and drop malware at any means possible, including disguising as legitimate “official” apps.
We advise Android users to:
- install applications only from trusted and verified publishers
- if you see an application from a new publisher, search for equivalents from trusted publishers
- report to Google any seemingly suspicious applications you encounter