If you need an antivirus app for your Android phone, make sure it’s legit. Security researchers recently uncovered six fake antivirus apps on the Google Play Store that installed malware.
The six apps included “Antivirus, Super Cleaner,” “Center Security - Antivirus” and “Powerful Cleaner Antivirus,” according to security firm Check Point. But in reality the programs delivered a malware strain dubbed “Sharkbot,” which can steal information about your login credentials and bank accounts.
In total, the apps were downloaded over 15,000 times, mainly from users in Italy and the UK. Google removed all six apps after Check Point reported the problem to the company.
The six apps work by functioning as “droppers,” meaning they’ll install the Sharkbot malware on the phone at a later time. Moreover, the malware installation will only trigger in select geographies such as China, India, Romania, Russia, Ukraine, or Belarus. This may help explain why the Google Play Store didn’t detect the malicious nature of the apps.
If the malware does install, Sharkbot will then try to steal passwords by creating fake login windows on the phone. “When the user enters credentials in these windows, the compromised data is sent to a malicious server,” Check Point wrote in a research report. “Sharkbot doesn’t target every potential victim it encounters, but only select ones, using the geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine, or Belarus.”
The malware also includes other nefarious functions, such as the ability to steal phone contacts, display push notifications, and secretly uninstall other apps on the phone. In addition, Sharkbot will stop all processes if it detects it’s being run on an isolated “sandbox” software environment, instead of an actual phone. This can help it evade detection from security researchers.
Check Point says four of the discovered apps came from developer accounts with the names "Zbynek Adamcik," "Adelmio Pagnotto," and "Bingo Like Inc."
“When we checked the history of these accounts, we saw that two of them were active in the fall of 2021,” it says. “Some of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets.”
A separate security firm, NCC Group, also discovered the presence of Sharkbot on the Google Play Store. The company noted the malware sample it found focused on initiating money transfers through legitimate banking apps on the victim’s phone.
“For most of these features, SharkBot needs the victim to enable the Accessibility Permissions & Services,” NCC Group said. “These permissions allows Android banking malware to intercept all the accessibility events produced by the interaction of the user with the User Interface, including button presses, touches, TextField changes.”
Google did not immediately respond to a request for comment.