Anti-Virus Applications in the Play Store Spread Malware

Η Check Point Research (CPR) has identified six applications in Play Store of Google which spread malware by pretending to be antivirus solutions.

Known as Sharkbot, the malware steals credentials and banking information. During its investigation, CPR counted more than 1.000 unique IP addresses of infected devices, mainly in the United Kingdom and Italy. However, Google Play Store statistics revealed that the malware was downloaded more than 11.000 times.


Sharkbot lures its victims with push notifications and tricks users into entering credentials into environments that mimic data entry forms. CPR suspects the threat is Russian-speaking and warns Android users around the world to be extra careful before downloading antivirus solutions on the Play Store.

  • 62% of the victims were found in Italy, 36% in the United Kingdom, 2% in other countries
  • Threat operators have implemented geographical fencing, which ignores device users in China, India, Romania, Russia, Ukraine and Belarus
  • CPR immediately reported its findings to Google, which removed the malware

Check Point Research (CPR) has discovered six applications that spread banking malware on Google Play Store as disguised as antivirus solutions. Malware, known as "Sharkbot", steals Android users' credentials and banking information.

Sharkbot entices its victims to insert their credentials into windows that mimic credential entry forms. When a user enters their data there, the compromised data is sent to a malicious server. CPR has found that malware developers have implemented a geo-fencing feature that ignores device users in China, India, Romania, Russia, Ukraine or Belarus.

The Six Malicious Applications

6 malicious applications
Figure 1.

Four of the applications came from three developer accounts, Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc. When CPR checked the history of these accounts, they found that two of them were active in the fall of 2021. Some of the apps linked to these accounts were removed from Google Play, but still exist in informal markets. This could mean that the person behind the applications is trying to stay "under the radar" while still engaging in malicious activity.

The Victims

CPR was able to collect statistics for a week. During this period, it counted more than 1.000 IP victims. Every day, the death toll rose by about 100. According to Google Play statistics, the six malicious applications detected by CPR were downloaded more than 11.000 times. Most of the victims are in the United Kingdom and Italy.

victims by country
Figure 2.% of victims per country

The Methodology of Attack

  1. Motivate the user to grant access rights to an application
  2. After that, the malware gains control of a large part of the victim's device
  3. Threat-takers can also send push alerts to victims that contain malicious links

Details of the attack

CPR does not have enough data to attribute the responsibility to a specific location. We can assume that the malware authors speak Russian. In addition, the malware will not perform its malicious functionality if the device is locally located in China, India, Romania, Russia, Ukraine or Belarus.

We announce responsibly

Immediately after locating these applications that spread Sharkbot, CPR announced its findings to Google. After reviewing the applications, Google proceeded to permanently remove these applications from the Google Play store. The same day that CPR reported the findings to Google, the NCC team he published a separate research for Sharkbot, citing one of the malicious applications.

Comment by Alexander Chailytko, Cyber ​​Security, Research & Innovation Manager, Check Point Software:

"We discovered six applications in the Google Play Store that were spreading Sharkbot malware. This malware steals credentials and banking information. It is obviously very dangerous. Considering the number of installations, we can assume that the threat factor has successfully chosen the method of spreading the malware, strategically choosing the location of applications on Google Play that has the trust of users.

What is also remarkable here is that the threat carriers send messages to the victims that contain malicious links, which leads to widespread adoption. Overall, the use of push-messages by threatening users to respond to users is an unusual dissemination technique. I think it's important for all Android users to know that they need to be very careful before downloading any antivirus solution from the Play Store. It could be Sharkbot. "

Security Tips for Android Users

  • Only install applications from trusted and verified publishers.
  • If you see an application from a new publisher, look for one from a trusted one.
  • Report to Google any seemingly suspicious applications you encounter. The Best Technology Site in Greece
Follow us on Google News

google play store, play store, android, Sharkbot, iguru

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).