Check Point Research (CPR) finds six applications on Google's Play Store that were spreading banking malware by posing as anti-virus solutions. Known as Sharkbot, the malware steals credentials and banking information. During CPR's investigation, CPR counted over 1,000 unique IP addresses of infected devices, mostly in UK and Italy. However, Google Play Store statistics revealed that the malicious applications were downloaded more than 11,000 times. Sharkbot lures its victims through push notifications and by tricking users into entering credentials in windows that mimic input forms. CPR suspects the threat actors are Russian speaking and warns Android users world-wide to think twice before downloading anti-virus solutions from Play Store.
Check Point Research (CPR) discovered six applications spreading banking malware on Google's Play Store by masquerading as anti-virus solutions. The malware, known as 'Sharkbot', steals credentials and banking information of Android users. Sharkbot lures its victims to enter their credentials in windows that mimic credential input forms. When the user enters their credentials in these windows, the compromised data is sent to a malicious server. CPR learned that the malware authors implemented a geo-fencing feature, which ignores device users in China, India, Romania, Russia, Ukraine or Belarus.
Four of the applications came from three developer accounts, Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc. When CPR checked the history of these accounts, they saw that two of them were active in the fall of 2021. Some of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets. This could mean that the actor behind the applications is trying to stay under the radar while still involved in malicious activity.
Victims
CPR was able to collect statistics for one week. During this time, CPR counted over 1,000 IPs of victims. Each day, the number of victims increased by roughly 100. According to Google Play statistics, the six malicious applications spotted by CPR were downloaded over 11,000 times. Most of the victims are in UK and Italy.
Attack Methodology
1. Incline user to grant accessibility service permissions for application
2. After that, the malware gains control of a large part of the victim's device
3. Threat actors can also send push notifications to victims containing malicious links
Attribution
CPR does not have enough evidence to make an attribution. We can assume that the malware authors speak Russian. Furthermore, the malware will not run its malicious functionality if the device's locale is in China, India, Romania, Russia, Ukraine or Belarus.
Responsible Disclosure
Immediately after identifying these applications that spread Sharkbot, CPR reported these findings to Google. After examining the apps, Google proceeded to permanently remove these applications on Google Play store. On the same day CPR reported the findings to Google, the NCC group published a separate research about Sharkbot, mentioning one of the malicious apps.
Quote: Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software:
"We discovered six applications on Google's Play Store that were spreading Sharkbot malware. This malware steals credentials and banking information. It is obviously very dangerous. Looking at the install count we can assume that the threat actor hit the bulls-eye for their method of malware spread. The threat actor strategically chose a location of applications on Google Play that have users' trust. What's also noteworthy here is that the threat actors push messages to victims containing malicious links, which leads to widespread adoption. All in all, the use of push-messages by the threat actors requesting an answer from users is an unusual spreading technique. I think it's important for all Android users to know that they should think twice before downloading any anti-virus solution from the Play Store. It could be Sharkbot."
Safety Tips for Android Users
