Check Point discovered hackers created the fake antivirus apps on the Google Play Store that installed malware.
The six apps included “Antivirus, Super Cleaner,” “Center Security – Antivirus” and “Powerful Cleaner Antivirus,”. But in reality the programs delivered a malware strain dubbed “Sharkbot,” which can steal information about your login credentials and bank accounts.
The apps were downloaded over 15,000 times, mainly from users in Italy and the UK. Google removed all six apps after the report emerges
The six apps work by functioning as droppers, which will install the Sharkbot malware. Moreover, the malware installation will only trigger in select geographies such as China, India, Romania, Russia, Ukraine, or Belarus.
Sharkbot will then try to steal passwords by creating fake login windows on the phone. When the user enters credentials in these windows, the compromised data is sent to a malicious server. Sharkbot doesn’t target every potential victim it encounters, but only select ones, using the geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine, or Belarus
The malware also includes other nefarious functions, such as the ability to steal phone contacts, display push notifications, and secretly uninstall other apps on the phone. In addition, Sharkbot will stop all processes if it detects it’s being run on an isolated “sandbox” software environment, instead of an actual phone. This can help it evade detection from security researchers.
SharkBot needs the victim to enable the Accessibility Permissions & Services. These permissions allows Android banking malware to intercept all the accessibility events produced by the interaction of the user with the User Interface, including button presses, touches, TextField changes.