Recently, researchers from the Check Point Research (CPR) team released a report that several malicious Android apps were found in Google’s official Google Play Store, which were disguised as antivirus software to spread the SharkBot Bank Trojan.
Sharkbot is an information-stealing program used by attackers to steal bank account credentials, using Android’s Accessibility Service to display fake overlay windows on top of legitimate banking applications, like other Android banking Trojans, but Sharkbot also uses the Domain Generation Algorithm (DGA), which is rarely used by Android malware, once installed on the victim’s device, Sharkbot The victim is tricked into entering their credentials in a window that looks like a normal input form. The malware also has the ability to check if it is running in a sandbox to prevent it from being analyzed by researchers.
Researchers believe that one of the characteristics of SharkBot is the ability to automatically reply to notifications from Facebook Messenger and WhatsApp to spread links to fake antivirus apps.
To be more targeted, Sharkbot uses malicious code to implement circumvention techniques and uses geofencing capabilities to target victims in specific countries and regions and to avoid infecting devices from India, Romania, Russia, and Ukraine.
6 fake antivirus apps found
The researchers found that in the Google Play Store, a total of 6 seemingly normal antivirus apps are spreading Sharkbot, from 3 developers – Zbynek Adamcik, Adelmio Pagnotto, and Bingo Like Inc. When the researchers examined the history of these accounts, they found that two of them were active in the fall of 2021. Some of these app accounts associated with these accounts have been removed from Google Play but still exist in unofficial marketplaces. This could mean that the attackers behind the app are still trying to keep a low profile while engaging in malicious activity. Some of the apps had been downloaded more than 15,000 times before they were removed, and most of the victims were in Italy and the Uk.
At the end of the report, the researchers feared that if a new antivirus application appeared in Google Play today, it might be a wolf in sheep’s clothing that would become a vector for spreading malware. In a propagation scheme such as Sharkbot, the malware itself is not uploaded to Google Play, but disguised as legitimate software through an intermediate link.