Malicious apps masquerade as Android file managers to spread malware

News
By Sead Fadilpašić
published

Multiple apps found distributing Sharkbot malware to Android users

Trojan
(Image credit: Iaremenko Sergii / Shutterstock)

A new batch of malicious Android apps have managed to slither their way into the Google Play Store and enjoy more than ten thousand downloads before being removed, experts have warned.

Cybersecurity researchers from Bitdefender recently discovered four such apps: “X-File Manager”, “FileVoyager”, “PhoneAID, Cleaner, Booster 2.6”, and “LiteCleaner M”. Between them, they amassed at least 16,000 downloads, and they were distributing Sharkbot - a known banking trojan malware.

The apps are disguised as utility solutions - three are file management apps, while the fourth one is a memory and phone cleaning app. That way, the researchers suggest, the attackers were hoping not to raise suspicion when the apps start asking for all kinds of permissions. 

Delivering the payload

After all, in order for Sharkbot to steal sensitive banking data, it needs permission to do all kinds of things, overlaying other apps included. Sharkbot operates by laying on top of legitimate banking apps, so that when the user signs in with their login data, the trojan steals it. 

It seems the apps managed to trick Google’s security checks by not actually delivering the malware upon installation. Rather, the app will trigger an “update” at a later stage, which is when the trojan is deployed. 

The victims seem to be mostly people living in the UK and Italy, although the researchers observed the threat actors going after bank accounts of people in Iran, and Germany, as well. 

Read more

> These fake Android antivirus apps install a dangerous banking trojan

> These two dangerous Trojan 'dropper' Android apps have already been installed thousands of times

> Keep your business safe with the best endpoint protection

Although Google removed these apps from its repository as soon as possible, this still doesn’t change the fact that tens of thousands of people have installed these apps on their endpoints, and these people remain at risk. 

Until they completely remove these apps from their devices, and change the passwords to their banking accounts, they will remain a potential victim of identity theft, wire fraud, and other cybercriminal activity.

To protect against such attacks, it would be wise to keep the Play Protect service enabled, and an Android antivirus app active, it was said.

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.