SharkBot Banking Trojan Returns to Google Play Store

SharkBot banking trojan, as we know it, has been targeting Android devices for a while now. What appears to have become a trend was recently identified by Bitdefender when they found a trove of malicious apps in the official Google Play Store that pushed aggressive unwanted ads which could potentially lead to more serious attacks.

This finding was not surprising since, in the last few months, malicious apps have begun to be distributed directly from the official store which makes people inclined to believe that they’re safe.

Through their real-time behavioral technology designed to detect softwares acting suspiciously, the research team at Bitdefender uncovered apps downloaded from Google Play acting as droppers for SharkBot banking trojan a short while after being installed.

“The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to more covert methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware,”.

Bitdefender

The apps that Bitdefender found were disguised as file managers, which allows them to easily request and gain permission from the user to install external packages. What adds to their disguise and allows them to evade detection is that the malicious behavior is activated to a restricted pool of users and Google Play apps only need the functionality of a file manager to install another app.

One of the identified apps is called X-File Manager which installs SharkBot samples with the label _File Manager, tricking the user into believing that an update for the app needs to be installed before using it.

What’s interesting in this case is that they target users depending on their location and most users who have downloaded the apps are either primarily from the United Kingdom or Italy. Furthermore, the developer profile on Google Play is also only visible to users from Italy or the United Kingdom. The page cannot be accessed without specifying the country code.

Bitdefender’s technical writeup also revealed that the application performed anti-emulator checks and targeted users from Great Britain and Italy by verifying if the SIM ISO corresponded with IT or GB. It also checks if one of the targeted banking applications has been installed on the user’s device.

The app has been removed from Google Play at the time of writing but is available on other websites. Similar malicious apps identified by Bitdefender include FileVoyager and LiteCleaner M.

1. SandStrike Spyware Infecting Android Devices through VPN Apps
2. VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware
3. New Dropper Apps on Play Store Targeting Banking and Crypto Wallets
4. Fake Antivirus Apps on Play Store Loaded with SharkBot Banking Trojan
5. Malicious Security App on Play Store Caught Dropping SharkBot Malware

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I’m not found hanging around in Discord voice channels with my friends, I’m probably cycling and taking pictures of random cats on the street.