The apps don’t carry the malicious payload after installation but instead fetch it from a remote resource.
Because the trojan apps are file managers, they are less likely to raise suspicion when requesting dangerous permission.
PLAYRead MoreRead MoreRead MoreRead MoreRead More1/1Skip AdContinue watchingafter the ad
Fake file managers infect Android
Sharkbot is a malicious software that tries to steal online bank accounts by displaying fake login forms over legitimate login prompts. When a user tries to log in to their bank using a fake form, their credentials are stolen and sent to the threat actors.
The Play Store has been home to various guises of the malicious software, which has been evolving.
According to a new report by Bitdefender, analysts discovered the new apps that were hidden as file managers and reported them to the internet search engine. All of them have been taken down from the store.
Many users who downloaded them previously may still have them installed on their phones or still suffer from undiscovered remnant infections.
The first malicious app was ‘X-File Manager’ by Victor Soft Ice, which was downloaded 10,000 times before it was taken down.
The app performs anti-emulation checks to evade detection and will only load Sharkbot on Great British or Italian SIMs, so it’s part of a targeted campaign.
The threat actors are able to remotely update the list of mobile bank apps whenever they want.
Most victims of the particular Sharkbot distribution wave are located in the United Kingdom, followed by Italy, Iran, and Germany, according to the data from Bitdefender.
Permissions like reading and writing external storage, installing new packages, accessing account details and wiping traces are requested by the malicious app.
Users are less likely to treat the request with caution since these permissions appear normal and expected in the context of file management apps.
X-File Manager will prompt the user to approve before installing a fake program called SharkBot.
The second malicious app that installs the banking trojan is ‘FileVoyager’ by Julia Soft Io LLC.
X-File Manager targets the same financial institutions in Italy and the UK as FileVoyager.
The litecleaner M app amassed 1,000 downloads before it was spotted and removed from the play store.
The app is only available in third-party stores. The third-party app store has a fourth Sharkbot loader named ‘phone AID, Cleaner, Booster 2.6’.
If these apps are installed, users should change their passwords for their online bank accounts.
The best way to protect yourself is to keep the Play Protect service on, as threat actors distribute these apps directly from the Play store.
It is possible to detect malicious traffic and apps even before they are reported to the Play store.
