Google Removes Dangerous Banking Malware From Play Store

Sharkbot was hidden in apps masquerading as antivirus tools.

A dangerous Android banking Trojan called SharkBot that first surfaced last October and continues to circulate in the wild is the latest example of threat actor persistence in trying to distribute mobile malware through the trusted Google Play mobile app store.

The malware — which its discoverer described as “next-generation” — uses compromised Android devices to surreptitiously transfer money out of bank accounts when the victim is logged into it, bypassing multifactor authentication controls in the process. SharkBot can also steal credentials and credit card data and packs multiple features that are designed to complicate or slow down detection.

Over the past month, researchers from Check Point Research identified at least six different applications on Google Play that were masquerading as legitimate antivirus software but instead were being used to drop SharkBot on the devices of those who downloaded the apps. The six apps were uploaded from three separate developer accounts and were downloaded more than 15,000 times in the relatively short period that they were available on Play.

Check Point discovered four of the applications distributing SharkBot on Feb. 23, 2022, and reported it to Google on March 3, the same day that another security vendor, NCC Group, reported finding the same threat in Google’s official mobile app store as well. Google removed the rogue apps from Google Play about a week later. But less than one week later — and then again a week after that — Check Point discovered two more apps containing the malware on Google Play. On both occasions, Google’s security team moved quickly to remove the threats before any users downloaded them.

A Google spokesman confirmed the company has removed all traces of the malware from Play.

In a blog this week, Check Point highlighted several features in SharkBot that explain to an extent the multiple times the authors of the malware were able to bypass Google’s protections to upload it to the Play app store. SharkBot’s tricks include time delays, capabilities for detecting if it’s running in a sandbox, and keeping most of its malicious functionality in a module that’s downloaded from an external command-and-control server after Play’s app Read more:

You can also read this: First Malware Targeting AWS Lambda Serverless Platform Discovered

Leave a Reply

Your email address will not be published. Required fields are marked *