History repeats itself, as researchers have again found malware-infected apps on Google Play Store.
But this time, things are a bit different, because the collection of malicious Android apps pose as harmless file managers that promise to help users manage their the files they have on their phone, when it fact they are sneaky and extremely dangerous.
First, the apps do not carry any malicious payload upon installation. This is done to evade detection when submitted on Google Play.
According to a report from researchers at Bitdefender, the apps only fetch their malicious payload a while later, by accessing a remote resource controlled by the developers.
And second, the payload the apps have, can quickly drain victims' bank account.
The apps' intrusive behavior isn't suspicious at first.
This is because the apps are file managers, meaning that they have to have deep access to users' storage, and that they are less likely to raise suspicions when requesting dangerous permissions.
For example, the apps request users to grant risky permissions like reading and writing external storage, installing new packages, accessing account details, deleting packages, and more.
These permissions appear normal and expected in the context of file management apps. The developers of the malicious apps know this well, and this is why they expect users to less likely to treat the requested permissions with caution.
Once installed onto a device, the apps will show a pop-up message to notify users to the apps need a vital update.
But instead of downloading the required data from the official app store, the apps takes users Ito third-party websites where malware is then deposited onto the device.
At this point, spam phishing websites would begin to appear on a victim's device.
And when the apps managed to connect to their command and control and download their malicious payload, the Sharkbot will be installed on users' devices.
Sharkbot is a dangerous malware that is designed to steal online bank accounts by displaying fake login forms over legitimate login prompts in banking apps.
When a user attempts to log in to their bank using one of these fake forms, the apps will have these credentials stolen and sent to the threat actors.
Sharkbot is constantly evolving, and has been appearing on the Play Store under various guises or loaded from trojan apps.
In this case, the most malicious of them all, is the ‘X-File Manager’ by Victor Soft Ice LLC.
The researchers at Bitdefender have reported the apps to Google. All of them have since been removed from the Google Play Store.
But still, many users who downloaded them previously may still have them installed on their phones or still suffer from undiscovered remnant malware infections.
According to Bitdefender’s telemetry data, most victims of the particular Sharkbot distribution are located in the United Kingdom, followed by Italy, Iran, and Germany.