Android banking scam malware known as shark bot It’s resurfaced on the official Google Play store, posing as a file manager that bypasses app marketplace restrictions.
Most of the users who downloaded the malicious apps resided in the UK and Italy, and the Romanian cybersecurity company Bitdefender Said In an analysis released this week.
SharkBot, first discovered by Clafy towards the end of 2021, Repeated Mobile threats are distributed on both the Google Play store and other third-party app stores.
One of the main purposes of this Trojan is to initiate money transfers from a compromised device using a technique called “Automated Money Transfer System” (ATS), transactions triggered via banking apps are intercepted and in the background the recipient’s account is swapped for an actor-controlled account.
When a user attempts to open a legitimate banking app, it can provide a fake login overlay and steal credentials in the process.
Often such apps offer seemingly harmless functions and sneak into the Google Play Store disguised as antivirus software or cleaners. However, once installed on the device, it also acts as a dropper that can retrieve the malware payload.
Dropper apps that are currently being removed are: –
- X-File Manager (com.victorsoftice.llc) – 10,000+ downloads
- FileVoyager (com.potsepko9.FileManagerApp) – 5,000+ downloads
- LiteCleaner M (com.ltdevelopergroups.litecleaner.m) – Over 1,000 downloads
LiteCleaner M is still available for download from a third-party app store called Apksos, which also houses a fourth SharkBot artifact named “Phone AID, Cleaner, Booster” (com.sidalistudio.developer.app).
The X-File Manager app, accessible only to users in Italy, was downloaded over 10,000 times before being removed. With Google steadily cracking down on permission abuse, it’s no surprise that the attackers chose to use File Her Manager as a decoy.
Google’s developer program policy is Restrict Permission to install external packages (REQUEST_INSTALL_PACKAGES) in several app categories: web browsers, instant messengers with attachment support, file managers, enterprise device management, backup and restore, and device transfer.
Invariably, this permission is abused to download and install malware from remote servers. Banking apps targeted include Bank of Ireland, Bank of Scotland, Barclays, BNL, HSBC UK, Lloyds Bank, Metro Bank and Santander.
“application [i.e., the dropper] We target users in the UK and Italy by running an anti-emulator check and verifying if the SIM ISO is IT or GB ready,” Bitdefender researchers said.
Users who have installed the above apps are advised to remove them and change their bank account passwords immediately.It is recommended that users also enable Play Store Protectscrutinize app ratings and reviews before downloading.