SharkBot Malware Found in Thousands of File Manager Apps
Share this:
Researchers are warning about SharkBot malware was found in several file manager Android apps on the Google Play Store, some of them with thousands of downloads.
In general, Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to alternate methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware.
This was the case with several file manager apps, which were disguised as such to justify the request for permission to install external packages from the user.
Though the discovered apps are no longer available on the Google Play Store, they can still be found in different third-party stores, making them a current threat.
The first analyzed by the Bitdefender team was ‘X-File Manager,’ counting over 10,000 installs before it was deleted. ‘FileVoyager’ was the second one, counting roughly 5,000 downloads.
Two more apps were found following the same pattern, but they were never available on the Google Play store. They are called ‘Phone AID, Cleaner, Booster’ and ‘LiteCleaner M’ and were discovered on the web through third-party app stores.
Most users who downloaded the malicious apps were from the United Kingdom (80.6%) and Italy (16.2%), with a small minority in other countries.
This research was documented by researchers from Bitdefender Firm
Other Apps Monitored by the malware
| Package name | Financial institution |
| com.barclays.android.barclaysmobilebanking | Barclays |
| com.bankofireland.mobilebanking | Bank of Ireland Mobile Banking |
| com.cooperativebank.bank | The Co-operative Bank |
| ftb.ibank.android | AIB (NI) Mobile |
| com.nearform.ptsb | permanent tsb |
| uk.co.mbna.cardservices.android | MBNA Mobile App |
| com.danskebank.mobilebank3.uk | Mobile Bank UK – Danske Bank |
| com.barclays.bca | Barclaycard |
| com.tescobank.mobile | Tesco Bank and Clubcard Pay+ |
| com.virginmoney.uk.mobile.android | Virgin Money Mobile Banking |
| com.cooperativebank.smile | “smile – the internet bank” |
| com.starlingbank.android | Starling Bank – Mobile Banking |
| uk.co.metrobankonline.mobile.android.production | Metro Bank |
| uk.co.santander.santanderUK | Santander Mobile Banking |
| uk.co.hsbc.hsbcukmobilebanking | HSBC UK Mobile Banking |
| uk.co.tsb.newmobilebank | TSB Mobile Banking |
| com.grppl.android.shell.BOS | Bank of Scotland Mobile App |
| com.grppl.android.shell.halifax | Halifax Mobile Banking |
| com.grppl.android.shell.CMBlloydsTSB73 | Lloyds Bank Mobile Banking |
| it.copergmps.rt.pf.android.sp.bmps | Banca MPS |
| it.extrabanca.mobile | NewExtraMobileBank |
| it.relaxbanking | RelaxBanking Mobile |
| it.bnl.apps.banking | BNL |
| it.bnl.apps.enterprise.hellobank | Hello Bank! |
| it.ingdirect.app | ING Italia |
| it.popso.SCRIGNOapp | SCRIGNOapp |
| posteitaliane.posteapp.appbpol | BancoPosta |
| com.latuabancaperandroid | Intesa Sanpaolo Mobile |
| com.latuabancaperandroid.pg | Intesa Sanpaolo Business |
| com.latuabancaperandroid.ispb | Intesa Sanpaolo Private |
| com.fineco.it | Fineco |
| com.CredemMobile | Credem |
| com.bmo.mobile | BMO Mobile Banking |
| com.fideuram.alfabetobanking | Alfabeto Banking |
| com.lynxspa.bancopopolare | YouApp – Mobile Banking |
| com.vipera.chebanca | CheBanca! |
Indicators Of Compromise
Package name
- com.victorsoftice.llc
- com.potsepko9.FileManagerApp
- com.sidalistudio.developer.app
- com.ltdevelopergroups.litecleaner.m
File Hashes
- fa7947933a3561b7174f1d94472dcf8633a03749c14342ce65dafe94db361140
- 5481908f7cf651fde7b902f70c5c6f900a413de5976e1e0ba2b60c44f2a060c4
- 5ee5894c2be17c542601c113225862129ed96da6e6bd0d80c5ef0d500ad21fe3
- 0fb6f45af7834c742db0c7b68a61d177c49bb4c59e19640c62723c6b38a777ad
- 6f1eb9c21b026eecfd65459ec4cffe3954d24619010741e18722108d7bacf3d1
- 5e858fa31abe3b048be815a96234daa1123a9aab113d6f80b95dbf9437fb7343
- e2d2e7683e07c5ffa7b5475433057cec5c2993167f47ea650941f9871923792d
- 72512e7de8099e66beb9b4395b8c4a5c1dfd413c85977a31480ff8bd68b2ca6e
- 218c6e2327c8342192dc58c6e793fc3d5cba7f15e4b2f188c98cd4ba48bf244a
- 844efceeeeff73da35ac13c217ad5723c456ecec01fada7f92b9203fc29e7dcd
- 25e2a148a586acc6b741a64f42c618796a08ec9745eb3d1170acabf9e732a366
- 900fe34d5394689c86ead76666e79620ad7a10109c75d661af9bc7d8fb0c27b8
- b45edcbdfe9ad1a1990d723dca4405014a4fa1c578b75799219a4298b16175de
- 618ee1e79a927c57831527faf19739276f2706b6200ee8f52aa0eb0c66de6828
