Η Check Point Research (CPR) has identified six applications in Play Store of Google which spread malware by pretending to be antivirus solutions.
Known as Sharkbot, the malware steals credentials and banking information. During the duration During its investigation, CPR measured over 1.000 unique IP addresses of infected devices, mostly in the UK and Italy. However, Google Play Store statistics revealed that the malicious apps were downloaded more than 11.000 times.
Sharkbot lures its victims with push notifications and tricks users into entering credentials into environments that mimic data entry forms. CPR suspects the threat is Russian-speaking and warns Android users around the world to be extra careful before downloading antivirus solutions on the Play Store.
- 62% of the victims were found in Italy, 36% in the United Kingdom, 2% in other countries
- Threat operators have implemented geographical fencing, which ignores device users in China, India, Romania, Russia, Ukraine and Belarus
- CPR immediately reported its findings to Google, which removed the malware
Check Point Research (CPR) has discovered six applications that spread banking malware on Google Play Store as disguised as antivirus solutions. Malware, known as "Sharkbot", steals Android users' credentials and banking information.
Sharkbot entices its victims to insert their credentials into windows that mimic credential entry forms. When a user enters their data there, the compromised data is sent to a malicious server. CPR has found that malware developers have implemented a geo-fencing feature that ignores device users in China, India, Romania, Russia, Ukraine or Belarus.
The Six Malicious Applications
Four of the applications came from three developer accounts, Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc. When CPR checked the history of these accounts, they found that two of them were active in the fall of 2021. Some of the apps linked to these accounts were removed from Google Play, but still exist in informal markets. This could mean that the person behind the applications is trying to stay "under the radar" while still engaging in malicious activity.
The Victims
CPR was able to collect statistics for a week. During this period, it counted more than 1.000 IP victims. Every day, the death toll rose by about 100. According to Google Play statistics, the six malicious applications detected by CPR were downloaded more than 11.000 times. Most of the victims are in the United Kingdom and Italy.
The Methodology of Attack
- Despitemovement of the user to grant accessibility rights for an application
- After that, the malware gains control of a large part of it deviceof the victim
- Threat actors can also send alerts push to victims containing malicious links
Details of the attack
Η CPR δεν έχει αρκετά στοιχεία για να αποδώσει την ευθύνη κάπου συγκεκριμένα. Μπορούμε να υποθέσουμε ότι οι συντάκτες του κακόβουλου λογισμικού μιλούν ρωσικά. Επιπλέον, το κακόβουλο λογισμικό δεν θα εκτελέσει την κακόβουλη λειτουργικότητά του εάν η τοπική τοποθεσία της deviceς βρίσκεται στην Κίνα, την Ινδία, τη Ρουμανία, τη Ρωσία, την Ουκρανία ή τη Λευκορωσία.
We announce responsibly
Immediately after locating these applications that spread Sharkbot, CPR announced its findings to Google. After reviewing the applications, Google proceeded to permanently remove these applications from the Google Play store. The same day that CPR reported the findings to Google, the NCC team he published a separate research for Sharkbot, citing one of the malicious applications.
Comment by Alexander Chailytko, Cyber Security, Research & Innovation Manager, Check Point Software:
"We discovered six applications in the Google Play Store that were spreading Sharkbot malware. This malware steals credentials and banking information. It is obviously very dangerous. Considering the number of installations, we can assume that the threat factor has successfully chosen the method of spreading the malware, strategically choosing the location of applications on Google Play that has the trust of users.
What is also notable here, is that threat actors push messages to victims containing malicious links, which leads to widespread adoption. Overall, the use of push-messages by threat actors, requesting a response from users is an unusual propagation technique. I think it is important for all Android users to know that they should be extra careful before downloading any antivirus solution from the Play Store. It could be Sharkbot.”
Security Tips for Android Users
- Only install applications from trusted and verified publishers.
- If you see an application from a new publisher, look for one from a trusted one.
- Report to Google any seemingly suspicious applications you encounter.