Member Login
menu

Six Antivirus Apps On Android Were Found Snooping For Users' Banking Details

6 sharks and 1 Android

Android is so flexible that it has so many security holes that hackers could get through.

And this time, researchers have found six Android apps on the Google Play Store that spread the 'Sharkbot' malware to steal users' banking information, ironically, by portraying themselves as antivirus apps, Check Point Research has found.

According to the report, six apps that are listed as Android antivirus or antimalware security apps were targeting users in users in Italy and the UK, as well as some other countries, while ignoring users in China, India, Romania, Russia, Ukraine or Belarus.

The six apps that have been found are named:

  • Atom Clean-Booster, Antivirus.
  • Antivirus, Super Cleaner.
  • Alpha Antivirus, Cleaner.
  • Powerful Cleaner, Antivirus.
  • Two version of the Center Security - Antivirus app.

"Four applications came from three developer accounts, Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc. When CPR checked the history of these accounts, we saw that two of them were active in the fall of 2021. Some of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets. This could mean that the threat actor behind these applications is trying to stay under the radar, while still involved in malicious activity. Overall, we saw over 15,000 downloads of these apps from Google Play."

SharkBot is an Android banking malware found at the end of October 2021 by the Cleafy Threat Intelligence Team.

The goal of the malware is to initiate money transfers from compromised devices via Automatic Transfer Systems (ATS).

At the moment of its finding, this technique is considered an advanced attack technique which isn’t used regularly within Android malware.

The technique enables the hackers to create autofill fields in legitimate mobile banking apps and initiate money transfers, whereas other Android banking malware, require a live operator to insert and authorize money transfers.

And because of the fact that the apps were being distributed via the Google Play Store as a fake antivirus, the developers of the apps had to include the usage of infected devices in order to spread the malicious app.

SharkBot achieves this by abusing the ‘Direct Reply‘ Android feature. This feature is used to automatically send reply notification with a message to download the fake antivirus app. This spread strategy abusing the Direct Reply feature has been seen recently in another banking malware called Flubot, discovered by ThreatFabric.

Read: Flubot Malware Improvises Strategy By Adding More Tricks To Lure Victims

6 antivirus apps malware
The 6 Sharkbot-laced antivirus solution apps found on Google Play Store. (Credit: Check Piont Research)

The researchers at Check Point Research found the six apps when analyzing suspicious apps found on the Google Play store.

The team knew that when searching for an antivirus solution, the last thing people would expect is installing a malware instead of the solution.

After notifying Google, the apps were then removed from the Play Store.

"Threat actors are evolving and constantly seeking ways to inject and drop malware at any means possible, including disguising as legitimate 'official' apps."

The researchers suggest Android users to always be careful when installing new apps:

  • Install apps only from trusted and verified publishers.
  • If users see an app from a new publisher, search for equivalents from trusted publishers.
  • Report to Google any seemingly suspicious applications you encounter.
Published: 
12/04/2022