These fake Android antivirus apps install a dangerous banking trojan

Android 12 beta update
(Image credit: Shutterstock / quietbits)

Following its discovery in several antivirus apps back in April, the SharkBotDropper trojan has once again infiltrated the Google Play Store, researchers have warned.

According to a new report from Fox-IT, a division of security company NCC Group, two additional Android antivirus apps have been found to carry the trojan, which is designed to steal online banking credentials.

The resurgence of SharkBot, the researchers say, signals the next step in the cat-and-mouse game between cyberattackers and Google. The malware no longer relies on the misuse of an Android device's accessibility permissions to install itself, but is delivered via an update to the following dummy apps:

  •  Mister Phone Cleaner (50,000+ downloads)
  •  Kylhavy Mobile Security (10,000+ downloads) 

Android banking trojan

If users have installed either of these apps, Sharkbot can compromise their private banking details in a number of ways.

It may inject a fake login page when the official banking app is opened. If this happens, users might see a screen that looks unfamiliar, or at least differs slightly from the normal interface.

SharkBot is also known to log key presses and send them to an external server, as well as intercept and hide text messages. It can also send out responses to received text and instant messages, spreading the malware via a shortened link.

Perhaps the most potent method that Sharkbot can use to compromise banking credentials is letting attackers tap remotely into a user’s device, to autofill transaction forms within banking apps and set transfers in motion.

It’s a small mercy that, for most of these features to work correctly, banking apps must be granted accessibility permissions. Users should check to see if these are enabled, and, if they’re still needed, consider removing their banking app in the short-term.

To protect against attacks like these, users should run regular security scans using a reputable antivirus app for Android, and let it remove any threats, such as SharkBot, that it finds.

If the device in question exists within a larger network, users should consider investing in endpoint protection for their business.

Those who may have already been infected by the offending apps, meanwhile, should first, uninstall them, and stop using banking apps until the threat has been removed.

The evolution of SharkBot

SharkBot’s design features may hint at a shift in the methods employed by some cyberattackers, from infecting as many devices as possible to targeting devices in specific regions as part of geopolitical campaigns.

April’s SharkBot epidemic chiefly targeted the United Kingdom and Italy, but in late August, Fox-IT found that Spain, Australia, Poland, Germany, Austria and the United States are now also being targeted by SharkBot’s command-and-control servers (C2s).

A separate report published in April by Check Point Research noted that “Sharkbot doesn’t target every potential victim it encounters, but only select ones, using the geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus.”

Malware attacks can be unsettling, especially when the motivations behind them are unclear. That’s why it’s important to have malware removal tools on hand, blocking threats in real-time, so that users never have to worry about a malicious attack again.

Luke Hughes
Staff Writer

 Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.