Fake Antivirus Apps Used to Spread Sharkbot Mobile Malware
Sharkbot, a type of banking malware, was discovered on the Google Play Store and subsequently taken down. The malware was hiding in apps designed to look like mobile antivirus and security solutions.
A group of researchers with info security firm Check Point picked apart the campaign pushing Sharkbot on the official Google Play Store. According to the research team, the fake antivirus apps clocked about 15 thousand downloads before they were taken down.
Sharkbot chooses its victims
The team alerted Google about the presence of the Sharkbot malware inside the apps and Google promptly took action. Sadly, the malware-laden apps spend enough time on the store to rack up a significant number of downloads first.
According to Check Point, at least six different apps were up on the store and were pushing the Sharkbot banking malware. What was a little more strange about this campaign were a couple of features used by the hackers. On the one hand, this version of Sharkbot used geofencing - it was configured to specifically avoid infecting devices in specific regions of the world.
Infected devices mostly in UK and Italy
In addition to geofencing, Sharkbot also included a domain generation algorithm. This effectively means that the malware was able to generate large volumes of domain names, which are then used for Sharkbot's command and control servers.
Most of the devices that Sharkbot landed on through the fake antivirus apps were located in European countries, specifically Italy and the UK. The devices were identified through their IP addresses by the research team.
The accidents with malware slipping quietly on the Google Play Store despite efforts to make it a completely safe space are always unpleasant. This is not the first such case this year either. Previously, malware-laden apps remained on the Play Store for around a month before Google was alerted and took them down.