December 9, 2023

Researchers are warning about SharkBot malware was found in several file manager Android apps on the Google Play Store, some of them with thousands of downloads.

In general, Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to alternate methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware.

This was the case with several file manager apps, which were disguised as such to justify the request for permission to install external packages from the user.

Advertisements

Though the discovered apps are no longer available on the Google Play Store, they can still be found in different third-party stores, making them a current threat.

The first analyzed by the Bitdefender team was ‘X-File Manager,’ counting over 10,000 installs before it was deleted. ‘FileVoyager’ was the second one, counting roughly 5,000 downloads.

Two more apps were found following the same pattern, but they were never available on the Google Play store. They are called ‘Phone AID, Cleaner, Booster’ and ‘LiteCleaner M’ and were discovered on the web through third-party app stores.

Most users who downloaded the malicious apps were from the United Kingdom (80.6%) and Italy (16.2%), with a small minority in other countries.

This research was documented by researchers from Bitdefender Firm

Advertisements

Other Apps Monitored by the malware

Package nameFinancial institution
com.barclays.android.barclaysmobilebankingBarclays
com.bankofireland.mobilebankingBank of Ireland Mobile Banking
com.cooperativebank.bankThe Co-operative Bank
ftb.ibank.androidAIB (NI) Mobile
com.nearform.ptsbpermanent tsb
uk.co.mbna.cardservices.androidMBNA Mobile App
com.danskebank.mobilebank3.ukMobile Bank UK – Danske Bank
com.barclays.bcaBarclaycard
com.tescobank.mobileTesco Bank and Clubcard Pay+
com.virginmoney.uk.mobile.androidVirgin Money Mobile Banking
com.cooperativebank.smile “smile – the internet bank”
com.starlingbank.androidStarling Bank – Mobile Banking
uk.co.metrobankonline.mobile.android.productionMetro Bank
uk.co.santander.santanderUKSantander Mobile Banking
uk.co.hsbc.hsbcukmobilebankingHSBC UK Mobile Banking
uk.co.tsb.newmobilebankTSB Mobile Banking
com.grppl.android.shell.BOSBank of Scotland Mobile App
com.grppl.android.shell.halifaxHalifax Mobile Banking
com.grppl.android.shell.CMBlloydsTSB73Lloyds Bank Mobile Banking
it.copergmps.rt.pf.android.sp.bmpsBanca MPS
it.extrabanca.mobileNewExtraMobileBank
it.relaxbankingRelaxBanking Mobile
it.bnl.apps.bankingBNL
it.bnl.apps.enterprise.hellobankHello Bank!
it.ingdirect.appING Italia
it.popso.SCRIGNOappSCRIGNOapp
posteitaliane.posteapp.appbpolBancoPosta
com.latuabancaperandroidIntesa Sanpaolo Mobile
com.latuabancaperandroid.pg Intesa Sanpaolo Business
com.latuabancaperandroid.ispbIntesa Sanpaolo Private
com.fineco.itFineco
com.CredemMobileCredem
com.bmo.mobileBMO Mobile Banking
com.fideuram.alfabetobankingAlfabeto Banking
com.lynxspa.bancopopolareYouApp – Mobile Banking
com.vipera.chebancaCheBanca!

Indicators Of Compromise

Package name

  • com.victorsoftice.llc
  • com.potsepko9.FileManagerApp
  • com.sidalistudio.developer.app
  • com.ltdevelopergroups.litecleaner.m

File Hashes

  • fa7947933a3561b7174f1d94472dcf8633a03749c14342ce65dafe94db361140
  • 5481908f7cf651fde7b902f70c5c6f900a413de5976e1e0ba2b60c44f2a060c4
  • 5ee5894c2be17c542601c113225862129ed96da6e6bd0d80c5ef0d500ad21fe3
  • 0fb6f45af7834c742db0c7b68a61d177c49bb4c59e19640c62723c6b38a777ad
  • 6f1eb9c21b026eecfd65459ec4cffe3954d24619010741e18722108d7bacf3d1
  • 5e858fa31abe3b048be815a96234daa1123a9aab113d6f80b95dbf9437fb7343
  • e2d2e7683e07c5ffa7b5475433057cec5c2993167f47ea650941f9871923792d
  • 72512e7de8099e66beb9b4395b8c4a5c1dfd413c85977a31480ff8bd68b2ca6e
  • 218c6e2327c8342192dc58c6e793fc3d5cba7f15e4b2f188c98cd4ba48bf244a
  • 844efceeeeff73da35ac13c217ad5723c456ecec01fada7f92b9203fc29e7dcd
  • 25e2a148a586acc6b741a64f42c618796a08ec9745eb3d1170acabf9e732a366
  • 900fe34d5394689c86ead76666e79620ad7a10109c75d661af9bc7d8fb0c27b8
  • b45edcbdfe9ad1a1990d723dca4405014a4fa1c578b75799219a4298b16175de
  • 618ee1e79a927c57831527faf19739276f2706b6200ee8f52aa0eb0c66de6828
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Microsoft EDGE Browser Critical Sandbox Escape Vulnerability – CVE-2023-35618

December 9, 2023

WordPress POP CMS Vulnerability

December 9, 2023

Apache Struts fixes Critical Vulnerability – CVE-2023-50164

December 8, 2023

Meta enables Messenger with E2EE by Default

December 8, 2023 2

CISA KEV Update Part II – December 2023

December 7, 2023

Atlassian fixes critical RCE vulnerabilities in its products

December 6, 2023
%d