Google Play Store removes six apps that create Sharkbot malware

Check Point Research has recently discovered six applications on Google Play Store that were spreading Sharkbot malware.
Sharkbot malware from Google App StoreGoogle has already removed six apps infected with Sharkbot, the bank stealer malware, from its app store. Customers have downloaded these apps 15,000 times before their removal. Google Play Store statistics revealed that the malicious applications were downloaded more than 11,000 times.

All six apps were designed to pose as antivirus solutions and to select targets using a geofencing feature. The apps stole users’ login credentials for websites and services. The infected applications were used to target users in Italy and the UK.

The six Android applications pretending to be antivirus apps on the Google Play store were marked as “droppers” for Sharkbot. The malware is an Android Stealer that aims to infect devices and steal login credentials and payment details. It is used to download a malicious payload and infect a device, once a dropper application is installed — evading detection, Check Point Research said in a blog post.

The Sharkbot malware used by the six apps also used a geofencing feature to target victims in specific regions. The Sharkbot malware is capable of detecting when it is being run in a sandbox and shuts down to prevent analysis, according to the Check Point Research team.

The six applications were identified from three developer accounts — Adelmio Pagnotto, Zbynek Adamcik, and Bingo Like Inc. The team cited statistics from AppBrain, which revealed the 15,000 downloads.

Four of these apps were discovered in February and reported to Google in March. The applications were removed on March 9, Check Point Research said. Two more dropper apps were discovered on March 15 and March 22 — both were removed on March 27.

Check Point Research said users could ensure safety from malware masquerading as software by installing applications only from verified publishers.

The malware identified approximately 1,000 unique IP addresses of infected devices during the time of analysis. Most of the victims were from Italy (62 percent), the UK (36 percent) and 2 percent from other countries.