Thousands of Android users downloaded this password-stealing malware disguised as anti-virus from Google Play
Six phony anti-virus apps have been removed from the Google Play app store because instead of protecting users from cyber criminals, they were actually being used to deliver malware to steal passwords, bank details and other personal information from Android users.
The malware apps have been detailed by cybersecurity researchers at Check Point, who say they were downloaded from Google’s official app marketplace by over 15,000 users who were looking to protect their devices, which instead became infected with Sharkbot Android malware.
Sharkbot is designed to steal usernames and passwords, which is does by luring victims into entering their credentials in overlayed windows which sends the information back to the attackers, who can use it to gain access to emails, social media, online banking accounts and more.
The six malicious apps found by researchers aimed to attract Android users searching for antivirus, cleaner and security apps.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
It’s possible that victims were sent phishing links which directed them to the download pages for the Sharkbot infested apps. The apps were able to bypass Google Play store protections because malicious behaviour in the apps wasn’t activated until after they’d been downloaded by a user and the app has communicated back to servers run by the attackers.
“We think that they were able to do it because all malicious actions were triggered from the C&C server, so the app could stay in the “OFF”-state during a test period in Google Play and turn “ON” when they get to the users’ devices,” Alexander Chailytko cyber security, research and innovation manager at Check Point Software told ZDNet.
According to analysis of the malware, Sharkbot won’t infect everyone who downloads it – it uses a geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus. Meanwhile, most victims who downloaded Sharkbot appear to be in the United Kingdom and Italy.
After identifying the apps, Check Point disclosed the findings to Google, which has removed the six apps from the Google Play Store. While the Sharbot-infected apps have been removed from Google’s official marketplace, they remain actively available on third-party sites, so users could still potentially be tricked into downloading them. ZDNet has asked Google for comment and will update this story if we get a response.
Anyone who suspects they’ve downloaded a malicious app should immediately uninstall it, download a legitimate antivirus program to scan their device, and change any passwords on accounts that could’ve been stolen. If there’s any uncertainty about what to download or if an app is legitimate, looking at user reviews can help provide a clearer picture as if the app isn’t legitimate, reviews will often say so.