Anti-Virus Applications in the Play Store Spread Malware

Η Check Point Research (CPR) has identified six applications in Play Store of Google which spread malware by pretending to be antivirus solutions.

Known as Sharkbot, the malware steals credentials and banking information. During the During its investigation, CPR measured over 1.000 unique IP addresses of infected devices, mostly in the UK and Italy. However, Google Play Store statistics revealed that the malicious apps were downloaded more than 11.000 times.

malware

Sharkbot lures its victims with push notifications and tricks users into entering credentials into environments that mimic data entry forms. CPR suspects the threat is Russian-speaking and warns Android users around the world to be extra careful before downloading antivirus solutions on the Play Store.

  • 62% of the victims were found in Italy, 36% in the United Kingdom, 2% in other countries
  • Threat operators have implemented geographical fencing, which ignores device users in China, India, Romania, Russia, Ukraine and Belarus
  • CPR immediately reported its findings to Google, which removed the malware

Check Point Research (CPR) has discovered six applications that spread banking malware on Google Play Store as disguised as antivirus solutions. Malware, known as "Sharkbot", steals Android users' credentials and banking information.

Sharkbot entices its victims to insert their credentials into windows that mimic credential entry forms. When a user enters their data there, the compromised data is sent to a malicious server. CPR has found that malware developers have implemented a geo-fencing feature that ignores device users in China, India, Romania, Russia, Ukraine or Belarus.

The Six Malicious Applications

6 malicious applications
Figure 1.

Four of the applications came from three developer accounts, Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc. When CPR checked the history of these accounts, they found that two of them were active in the fall of 2021. Some of the apps linked to these accounts were removed from Google Play, but still exist in informal markets. This could mean that the person behind the applications is trying to stay "under the radar" while still engaging in malicious activity.

The Victims

CPR was able to collect statistics for a week. During this period, it counted more than 1.000 IP victims. Every day, the death toll rose by about 100. According to Google Play statistics, the six malicious applications detected by CPR were downloaded more than 11.000 times. Most of the victims are in the United Kingdom and Italy.

victims by country
Figure 2.% of victims per country

The Methodology of Attack

  1. Despite of the user to grant accessibility rights for an application
  2. After that, the malware gains control of a large part of it of the victim
  3. Threat actors can also send push to victims containing malicious links

Details of the attack

Η CPR δεν έχει αρκετά στοιχεία για να αποδώσει την ευθύνη κάπου συγκεκριμένα. Μπορούμε να υποθέσουμε ότι οι συντάκτες του κακόβουλου λογισμικού μιλούν ρωσικά. Επιπλέον, το κακόβουλο λογισμικό δεν θα εκτελέσει την κακόβουλη λειτουργικότητά του εάν η τοπική τοποθεσία της ς βρίσκεται στην Κίνα, την Ινδία, τη Ρουμανία, τη Ρωσία, την Ουκρανία ή τη Λευκορωσία.

We announce responsibly

Immediately after locating these applications that spread Sharkbot, CPR announced its findings to Google. After reviewing the applications, Google proceeded to permanently remove these applications from the Google Play store. The same day that CPR reported the findings to Google, the NCC team he published a separate research for Sharkbot, citing one of the malicious applications.

Comment by Alexander Chailytko, Cyber ​​Security, Research & Innovation Manager, Check Point Software:

"We discovered six applications in the Google Play Store that were spreading Sharkbot malware. This malware steals credentials and banking information. It is obviously very dangerous. Considering the number of installations, we can assume that the threat factor has successfully chosen the method of spreading the malware, strategically choosing the location of applications on Google Play that has the trust of users.

What is also notable here, is that threat actors push messages to victims containing malicious links, which leads to widespread adoption. Overall, the use of push- by threat actors, requesting a response from users is an unusual propagation technique. I think it is important for all Android users to know that they should be extra careful before downloading any antivirus solution from the Play Store. It could be Sharkbot.”

Security Tips for Android Users

  • Only install applications from trusted and verified publishers.
  • If you see an application from a new publisher, look for one from a trusted one.
  • Report to Google any seemingly suspicious applications you encounter.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
google play store, play store, android, Sharkbot, iguru

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).